[wasm] Check for malformed mutability

src/wasm/module-decoder.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/wasm/module-decoder.h"
 
 #include "src/base/functional.h"
 #include "src/base/platform/platform.h"
 #include "src/flags.h"
 #include "src/macro-assembler.h"
@@ skipping 316 matching lines @@
             SetHasMemory(module);
             break;
           }
           case kExternalGlobal: {
             // ===== Imported global =========================================
             import->index = static_cast<uint32_t>(module->globals.size());
             module->globals.push_back(
                 {kWasmStmt, false, WasmInitExpr(), 0, true, false});
             WasmGlobal* global = &module->globals.back();
             global->type = consume_value_type();
-            global->mutability = consume_u8("mutability") != 0;
+            global->mutability = consume_mutability();
             if (global->mutability) {
               error("mutable globals cannot be imported");
             }
             break;
           }
           default:
             error(pos, pos, "unknown import kind 0x%02x", import->kind);
             break;
         }
       }
@@ skipping 341 matching lines @@
       error("At most one memory object is supported");
     } else {
       module->has_memory = true;
     }
   }
 
   // Decodes a single global entry inside a module starting at {pc_}.
   void DecodeGlobalInModule(WasmModule* module, uint32_t index,
                             WasmGlobal* global) {
     global->type = consume_value_type();
-    global->mutability = consume_u8("mutability") != 0;
+    global->mutability = consume_mutability();
     const byte* pos = pc();
     global->init = consume_init_expr(module, kWasmStmt);
     switch (global->init.kind) {
       case WasmInitExpr::kGlobalIndex: {
         uint32_t other_index = global->init.val.global_index;
         if (other_index >= index) {
           error(pos, pos,
                 "invalid global index in init expression, "
                 "index %u, other_index %u",
                 index, other_index);
@@ skipping 271 matching lines @@
       expr.kind = WasmInitExpr::kNone;
     }
     if (expected != kWasmStmt && TypeOf(module, expr) != kWasmI32) {
       error(pos, pos, "type error in init expression, expected %s, got %s",
             WasmOpcodes::TypeName(expected),
             WasmOpcodes::TypeName(TypeOf(module, expr)));
     }
     return expr;
   }
 
+  // Read a mutability flag
+  bool consume_mutability() {
+    byte val = consume_u8("mutability");
+    if (val > 1) error(pc_ - 1, "invalid mutability");
+    return val != 0;
+  }
+
   // Reads a single 8-bit integer, interpreting it as a local type.
   ValueType consume_value_type() {
     byte val = consume_u8("value type");
     ValueTypeCode t = static_cast<ValueTypeCode>(val);
     switch (t) {
       case kLocalI32:
         return kWasmI32;
       case kLocalI64:
         return kWasmI64;
       case kLocalF32:
@@ skipping 238 matching lines @@
     table.push_back(std::move(func_asm_offsets));
   }
   if (decoder.more()) decoder.error("unexpected additional bytes");
 
   return decoder.toResult(std::move(table));
 }
 
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8