[wasm] Avoid huge allocation on invalid local entries count

If the number of locals entries is inplausibly huge, we still try to
allocate storage for the SmallVector, resulting in OOMs, DCHECK errors
and other weird behavior depending on the platform.
This can be avoided by checking the decoded value for plausibility
before trying the allocation.

R=thibaudm@chromium.org

Bug: chromium:1374529
Change-Id: I4ba5f943e1933527fb009d9271750b1fb9ad21a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3956518
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83749}

src/wasm/decoder.h

@@ -257,10 +257,15 @@ class Decoder {
     consume_bytes(size, nullptr);
   }
 
+  uint32_t available_bytes() const {
+    DCHECK_LE(pc_, end_);
+    DCHECK_GE(kMaxUInt32, end_ - pc_);
+    return static_cast<uint32_t>(end_ - pc_);
+  }
+
   // Check that at least {size} bytes exist between {pc_} and {end_}.
   bool checkAvailable(uint32_t size) {
-    DCHECK_LE(pc_, end_);
-    if (V8_UNLIKELY(size > static_cast<uint32_t>(end_ - pc_))) {
+    if (V8_UNLIKELY(size > available_bytes())) {
       errorf(pc_, "expected %u bytes, fell off end", size);
       return false;
     }

src/wasm/function-body-decoder-impl.h

@@ -1315,6 +1315,14 @@ class WasmDecoder : public Decoder {
     *total_length += length;
     TRACE("local decls count: %u\n", entries);
 
+    // Do an early validity check, to avoid allocating too much memory below.
+    // Every entry needs at least two bytes (count plus type); if that many are
+    // not available any more, flag that as an error.
+    if (available_bytes() / 2 < entries) {
+      return DecodeError(
+          pc, "local decls count bigger than remaining function size");
+    }
+
     struct DecodedLocalEntry {
       uint32_t count;
       ValueType type;