From 0c7f8cd69b6065fbc9a2af8927182ffe529e052e Mon Sep 17 00:00:00 2001
From: Manos Koukoutos <manoskouk@chromium.org>
Date: Thu, 21 Mar 2024 11:38:08 +0100
Subject: [PATCH] [Backport] CVE-2024-2887: Type Confusion in WebAssembly

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5380190:
Merged: [wasm] Check for type-definition count limit

(cherry picked from commit b852ad701db21d6db5b34e66f4ec1cdccd2ec4d4)

Bug: chromium:330575498
Change-Id: I395f0ed6d823b7d1e139da6551486e3627d65724
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378419
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Manos Koukoutos <manoskouk@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#92941}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5380190
Reviewed-by: Francis McCabe <fgm@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.2@{#50}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553292
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/v8/src/wasm/module-decoder-impl.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/chromium/v8/src/wasm/module-decoder-impl.h b/chromium/v8/src/wasm/module-decoder-impl.h
index 97554288b55..75ca3a630a2 100644
--- a/chromium/v8/src/wasm/module-decoder-impl.h
+++ b/chromium/v8/src/wasm/module-decoder-impl.h
@@ -687,6 +687,11 @@ class ModuleDecoderImpl : public Decoder {
         }
       } else {
         if (tracer_) tracer_->TypeOffset(pc_offset());
+        if (initial_size + 1 > kV8MaxWasmTypes) {
+          errorf(pc(), "Type definition count exceeds maximum %zu",
+                 kV8MaxWasmTypes);
+          return;
+        }
         // Similarly to above, we need to resize types for a group of size 1.
         module_->types.resize(initial_size + 1);
         module_->isorecursive_canonical_type_ids.resize(initial_size + 1);