From 8b85d5dfd22c56ea9a54df37219492ad3b6d5605 Mon Sep 17 00:00:00 2001
From: Alon Zakai <azakai@google.com>
Date: Tue, 30 Jan 2024 13:53:31 -0800
Subject: Directize: Handle overflows and out of bounds (#6255)

---
 src/ir/table-utils.h | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/ir/table-utils.h b/src/ir/table-utils.h
index a94691e9f..5299ba3e1 100644
--- a/src/ir/table-utils.h
+++ b/src/ir/table-utils.h
@@ -20,6 +20,7 @@
 #include "ir/element-utils.h"
 #include "ir/literal-utils.h"
 #include "ir/module-utils.h"
+#include "support/stdckdint.h"
 #include "wasm-traversal.h"
 #include "wasm.h"
 
@@ -40,7 +41,13 @@ struct FlatTable {
           return;
         }
         Index start = offset->cast<Const>()->value.geti32();
-        Index end = start + segment->data.size();
+        Index size = segment->data.size();
+        Index end;
+        if (std::ckd_add(&end, start, size) || end > table.initial) {
+          // Overflow.
+          valid = false;
+          return;
+        }
         if (end > names.size()) {
           names.resize(end);
         }
-- 
cgit v1.2.3