[wasm] Fix use after free in compile fuzzer

R=ahaas@chromium.org Bug: chromium:1179545 Change-Id: I0dddf6198a9574c925ca4faaf6b7b70453887029 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2704171Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#72844}

[wasm] Fix use after free in compile fuzzer
R=ahaas@chromium.org Bug: chromium:1179545 Change-Id: I0dddf6198a9574c925ca4faaf6b7b70453887029 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2704171Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#72844}
063ab3d6 · Thibaud Michaud · Commit Bot · 95c3ebcc · 063ab3d6
Commit 063ab3d6 authored Feb 18, 2021 by Thibaud Michaud Committed by Commit Bot Feb 18, 2021
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

wasm-compile.cc test/fuzzer/wasm-compile.cc +3 -2

No files found.
--- a/test/fuzzer/wasm-compile.cc
+++ b/test/fuzzer/wasm-compile.cc
@@ -218,8 +218,9 @@ class WasmGenerator {
    bool is_unwind = num_catch == 0 && !has_catch_all && !is_delegate;

    Vector<const ValueType> return_type_vec =
-        return_type.kind() == ValueType::kStmt ? Vector<ValueType>{}
-                                               : VectorOf({return_type});
+        return_type.kind() == ValueType::kStmt
+            ? Vector<ValueType>{}
+            : Vector<ValueType>(&return_type, 1);
    BlockScope block_scope(this, kExprTry, {}, return_type_vec, return_type_vec,
                           !is_delegate);
    int control_depth = static_cast<int>(blocks_.size()) - 1;