[wasm] Properly reject modules with unknown sections

The IsValidSectionCode function shouldn't include internally-used
numeric identifiers of well-known optional sections.

Fixed: v8:12867
Change-Id: I9d894ee57157455e92a17ddcde94f32f05fb038d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644612
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80494}

src/wasm/wasm-constants.h

@@ -116,7 +116,7 @@ enum SectionCode : int8_t {
 
   // Helper values
   kFirstSectionInModule = kTypeSectionCode,
-  kLastKnownModuleSection = kBranchHintsSectionCode,
+  kLastKnownModuleSection = kTagSectionCode,
   kFirstUnorderedSection = kDataCountSectionCode,
 };
 

test/mjsunit/regress/wasm/regress-12867.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
+
+for (let section = kLastKnownSectionCode + 1;
+     section <= kLastKnownSectionCode + 20; section++) {
+  let module = Uint8Array.from([
+      kWasmH0, kWasmH1, kWasmH2, kWasmH3,
+      kWasmV0, kWasmV1, kWasmV2, kWasmV3,
+      section, 0
+  ]);
+  let hex = section.toString(16).padStart(2, '0');
+  let msg = `WebAssembly.Module(): unknown section code #0x${hex} @+10`;
+  assertThrows(() => new WebAssembly.Instance(new WebAssembly.Module(module)),
+               WebAssembly.CompileError, msg);
+}

test/mjsunit/wasm/wasm-module-builder.js

@@ -68,6 +68,7 @@ let kCodeSectionCode = 10;       // Function code
 let kDataSectionCode = 11;       // Data segments
 let kDataCountSectionCode = 12;  // Data segment count (between Element & Code)
 let kTagSectionCode = 13;        // Tag section (between Memory & Global)
+let kLastKnownSectionCode = 13;
 
 // Name section types
 let kModuleNameCode = 0;