[wasm] Avoid constructing overflowing WireBytesRefs

The constructor of WireBytesRef checks that offset+length is still in
the uint32_t range. This CL avoids triggering this check on illegally
size strings.

R=ahaas@chromium.org
BUG=chromium:734246

Change-Id: Iab5c7013aa3e0ac5060bc4733e712a1652679b1a
Reviewed-on: https://chromium-review.googlesource.com/539402Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46050}

src/wasm/module-decoder.cc

@@ -104,7 +104,7 @@ WireBytesRef consume_string(Decoder& decoder, bool validate_utf8,
       decoder.errorf(string_start, "%s: no valid UTF-8 string", name);
     }
   }
-  return {offset, length};
+  return {offset, decoder.failed() ? 0 : length};
 }
 
 // An iterator over the sections in a wasm binary module.

test/mjsunit/regress/wasm/regression-734246.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+let builder = new WasmModuleBuilder();
+builder.addExplicitSection([
+  kUnknownSectionCode,
+  // section length
+  0x0f,
+  // name length: 0xffffffff
+  0xf9, 0xff, 0xff, 0xff, 0x0f
+]);
+assertThrows(() => builder.instantiate(), WebAssembly.CompileError);