[wasm] Stop the BranchTableIterator if there is an error in the decoder.

In a fuzzer testcase I found locally the ast-decoder spent a lot of time in the decoding of kExprBrTable after the decoder already found an error. I did not add a test because the fuzzer test case did not actually crash. It only run out of memory in the chromium fuzzer. R=titzer@chromium.org Review-Url: https://codereview.chromium.org/2413863003 Cr-Commit-Position: refs/heads/master@{#40254}

[wasm] Stop the BranchTableIterator if there is an error in the decoder.
In a fuzzer testcase I found locally the ast-decoder spent a lot of time in the decoding of kExprBrTable after the decoder already found an error. I did not add a test because the fuzzer test case did not actually crash. It only run out of memory in the chromium fuzzer. R=titzer@chromium.org Review-Url: https://codereview.chromium.org/2413863003 Cr-Commit-Position: refs/heads/master@{#40254}
77bda187 · ahaas · Commit bot · 33a4faa4 · 77bda187
Commit 77bda187 authored Oct 13, 2016 by ahaas Committed by Commit bot Oct 13, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

ast-decoder.cc src/wasm/ast-decoder.cc +2 -1

No files found.
--- a/src/wasm/ast-decoder.cc
+++ b/src/wasm/ast-decoder.cc
@@ -865,7 +865,7 @@ class WasmFullDecoder : public WasmDecoder {

                SsaEnv* copy = Steal(break_env);
                ssa_env_ = copy;
-                while (iterator.has_next()) {
+                while (ok() && iterator.has_next()) {
                  uint32_t i = iterator.cur_index();
                  const byte* pos = iterator.pc();
                  uint32_t target = iterator.next();
@@ -879,6 +879,7 @@ class WasmFullDecoder : public WasmDecoder {
                                          : BUILD(IfValue, i, sw);
                  BreakTo(target);
                }
+                if (failed()) break;
              } else {
                // Only a default target. Do the equivalent of br.
                const byte* pos = iterator.pc();