Validate reading prefixed opcodes

If module bytes end in a prefix like 0xfc (numeric prefix), we read out
of bounds (pc + 1). So, if validate flag is set, check the length.

Bug: chromium:1073553
Change-Id: Ia9771419d01f2315723d19dd96630172b5a7a1f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2161404Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67370}

src/wasm/decoder.h

@@ -148,8 +148,15 @@ class Decoder {
         errorf(pc, "Invalid SIMD opcode %d", index);
       }
     } else {
-      index = *(pc + 1);
-      *length = 1;
+      if (!validate || validate_size(pc, 2, "expected 2 bytes")) {
+        DCHECK(validate_size(pc, 2, "expected 2 bytes"));
+        index = *(pc + 1);
+        *length = 1;
+      } else {
+        // If kValidate and size validation fails.
+        index = 0;
+        *length = 0;
+      }
     }
     return static_cast<WasmOpcode>((*pc) << 8 | index);
   }

test/mjsunit/regress/wasm/regress-1073553.js

+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(1);
+builder.addFunction(undefined, kSig_v_i) .addBodyWithEnd([
+    kExprI32Const, 1, kExprMemoryGrow, kMemoryZero, kNumericPrefix]);
+// Intentionally add just a numeric opcode prefix without the index byte.
+
+const b = builder.toBuffer();
+WebAssembly.compile(b);