[wasm][streaming] Check for illegal section code

Add a missing check to reject illegal sections.

The test is added in three forms, to give fuzzers more food: A fuzzer
regression test for the streaming fuzzer, a unit test for the streaming
decoder, and an mjsunit test for streaming compilation.

Drive-by: Remove a redundant line in the synchronous decoder (this is
already handled by the following statement.

R=ahaas@chromium.org

Bug: chromium:1335023
Change-Id: Ic8c3b301f1b58981c7d68eafcffc89531ed2c64c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3698549Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81071}

src/wasm/module-decoder.cc

@@ -283,7 +283,6 @@ class WasmSectionIterator {
     } else if (!IsValidSectionCode(section_code)) {
       decoder_->errorf(decoder_->pc(), "unknown section code #0x%02x",
                        section_code);
-      section_code = kUnknownSectionCode;
     }
     section_code_ = decoder_->failed() ? kUnknownSectionCode
                                        : static_cast<SectionCode>(section_code);

src/wasm/streaming-decoder.cc

@@ -583,8 +583,11 @@ AsyncStreamingDecoder::DecodeModuleHeader::Next(
 
 std::unique_ptr<AsyncStreamingDecoder::DecodingState>
 AsyncStreamingDecoder::DecodeSectionID::Next(AsyncStreamingDecoder* streaming) {
-  TRACE_STREAMING("DecodeSectionID: %s section\n",
+  TRACE_STREAMING("DecodeSectionID: %u (%s)\n", id_,
                   SectionName(static_cast<SectionCode>(id_)));
+  if (id_ != kUnknownSectionCode && !IsValidSectionCode(id_)) {
+    return streaming->Error("invalid section code");
+  }
   if (id_ == SectionCode::kCodeSectionCode) {
     // Explicitly check for multiple code sections as module decoder never
     // sees the code section and hence cannot track this section.

test/mjsunit/wasm/async-compile.js

@@ -10,10 +10,13 @@ async function assertCompiles(buffer) {
 }
 
 function assertCompileError(buffer, msg) {
-  assertEquals('string', typeof msg);
+  if (typeof msg == 'string') {
+    msg = 'WebAssembly.compile(): ' + msg;
+  } else {
+    assertInstanceof(msg, RegExp);
+  }
   return assertThrowsAsync(
-      WebAssembly.compile(buffer), WebAssembly.CompileError,
-      'WebAssembly.compile(): ' + msg);
+      WebAssembly.compile(buffer), WebAssembly.CompileError, msg);
 }
 
 assertPromiseResult(async function basicCompile() {
@@ -76,3 +79,13 @@ assertPromiseResult(async function importWithoutCode() {
   builder.addImport('m', 'q', kSig_i_i);
   await builder.asyncInstantiate({'m': {'q': i => i}});
 }());
+
+assertPromiseResult(async function invalidSectionCode() {
+  let kInvalidSectionCode = 61;
+  let builder = new WasmModuleBuilder();
+  builder.addExplicitSection([kInvalidSectionCode, 0]);
+  let buffer = builder.toBuffer();
+
+  // Async and streaming decoder disagree on the error message, so accept both.
+  await assertCompileError(buffer, /(unknown|invalid) section code/);
+}());

test/unittests/wasm/streaming-decoder-unittest.cc

@@ -666,6 +666,12 @@ TEST_F(WasmStreamingDecoderTest, UnknownSectionSandwich) {
                 "code section can only appear once");
 }
 
+TEST_F(WasmStreamingDecoderTest, InvalidSectionCode) {
+  uint8_t kInvalidSectionCode = 61;
+  const uint8_t data[] = {WASM_MODULE_HEADER, SECTION(Invalid)};
+  ExpectFailure(base::ArrayVector(data), 8, "invalid section code");
+}
+
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8