[wasm] Bound the table size by Smi::kMaxValue.

BUG=chromium:649283
R=titzer@chromium.org
TEST=mjsunit/wasm/table

Review-Url: https://codereview.chromium.org/2358923003
Cr-Commit-Position: refs/heads/master@{#39711}

src/wasm/wasm-js.cc

@@ -365,11 +365,12 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
       return;
     }
   }
+  const int max_table_size = 1 << 26;
   // The descriptor's 'initial'.
   int initial;
   if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
                           v8_str(isolate, "initial"), &initial, 0,
-                          std::numeric_limits<int>::max())) {
+                          max_table_size)) {
     return;
   }
   // The descriptor's 'maximum'.
@@ -377,7 +378,7 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
   bool has_maximum = true;
   if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
                           v8_str(isolate, "maximum"), &maximum, initial,
-                          std::numeric_limits<int>::max())) {
+                          max_table_size)) {
     if (reinterpret_cast<i::Isolate*>(isolate)->has_pending_exception() ||
         thrower.error()) {
       return;

test/mjsunit/wasm/table.js

@@ -7,6 +7,7 @@
 // Basic tests.
 
 var outOfUint32RangeValue = 1e12;
+var int32ButOob = 1073741824;
 
 (function TestConstructor() {
   assertTrue(WebAssembly.Table instanceof Function);
@@ -35,6 +36,8 @@ var outOfUint32RangeValue = 1e12;
   assertThrows(() => new WebAssembly.Table({element: "anyfunc", initial: 10, maximum: outOfUint32RangeValue}), RangeError);
   assertThrows(() => new WebAssembly.Table({element: "anyfunc", initial: 10, maximum: 9}), RangeError);
 
+  assertThrows(() => new WebAssembly.Table({element: "anyfunc", initial: 0, maximum: int32ButOob}));
+
   let table = new WebAssembly.Table({element: "anyfunc", initial: 1});
   assertSame(WebAssembly.Table.prototype, table.__proto__);
   assertSame(WebAssembly.Table, table.constructor);