From 10d7ad9d9469f7a862d89c6f561b59053b70288e Mon Sep 17 00:00:00 2001
From: ahaas <ahaas@chromium.org>
Date: Mon, 26 Sep 2016 03:15:03 -0700
Subject: [PATCH] [wasm] Bound the table size by Smi::kMaxValue.

BUG=chromium:649283
R=titzer@chromium.org
TEST=mjsunit/wasm/table

Review-Url: https://codereview.chromium.org/2358923003
Cr-Commit-Position: refs/heads/master@{#39711}
---
 src/wasm/wasm-js.cc        | 5 +++--
 test/mjsunit/wasm/table.js | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc
index 9494d4c0df..0b6b25b127 100644
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -365,11 +365,12 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
       return;
     }
   }
+  const int max_table_size = 1 << 26;
   // The descriptor's 'initial'.
   int initial;
   if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
                           v8_str(isolate, "initial"), &initial, 0,
-                          std::numeric_limits<int>::max())) {
+                          max_table_size)) {
     return;
   }
   // The descriptor's 'maximum'.
@@ -377,7 +378,7 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
   bool has_maximum = true;
   if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
                           v8_str(isolate, "maximum"), &maximum, initial,
-                          std::numeric_limits<int>::max())) {
+                          max_table_size)) {
     if (reinterpret_cast<i::Isolate*>(isolate)->has_pending_exception() ||
         thrower.error()) {
       return;
diff --git a/test/mjsunit/wasm/table.js b/test/mjsunit/wasm/table.js
index 0495703651..c04e3e2ad1 100644
--- a/test/mjsunit/wasm/table.js
+++ b/test/mjsunit/wasm/table.js
@@ -7,6 +7,7 @@
 // Basic tests.
 
 var outOfUint32RangeValue = 1e12;
+var int32ButOob = 1073741824;
 
 (function TestConstructor() {
   assertTrue(WebAssembly.Table instanceof Function);
@@ -35,6 +36,8 @@ var outOfUint32RangeValue = 1e12;
   assertThrows(() => new WebAssembly.Table({element: "anyfunc", initial: 10, maximum: outOfUint32RangeValue}), RangeError);
   assertThrows(() => new WebAssembly.Table({element: "anyfunc", initial: 10, maximum: 9}), RangeError);
 
+  assertThrows(() => new WebAssembly.Table({element: "anyfunc", initial: 0, maximum: int32ButOob}));
+
   let table = new WebAssembly.Table({element: "anyfunc", initial: 1});
   assertSame(WebAssembly.Table.prototype, table.__proto__);
   assertSame(WebAssembly.Table, table.constructor);