[wasm] Decoding the names section should stop if there is a problem with locals.

First discovery by the names section fuzzer I think. During the decoding
of the names of locals only ok() of the outer decoder was checked, not
the ok() of the actual names section decoder.

R=tizer@chromium.org
BUG=chromium:684855

Review-Url: https://codereview.chromium.org/2648383007
Cr-Commit-Position: refs/heads/master@{#42880}

src/wasm/decoder.h

@@ -382,8 +382,10 @@ class Decoder {
 
       int length = static_cast<int>(pc_ - pos);
       if (pc_ == end && (b & 0x80)) {
+        TRACE("\n");
         error(pc_ - 1, "varint too large");
       } else if (length == 0) {
+        TRACE("\n");
         error(pc_, "varint of length 0");
       } else if (is_signed) {
         if (length < kMaxLength) {

src/wasm/module-decoder.cc

@@ -628,7 +628,7 @@ class ModuleDecoder : public Decoder {
         }
 
         uint32_t local_names_count = inner.consume_u32v("local names count");
-        for (uint32_t j = 0; ok() && j < local_names_count; j++) {
+        for (uint32_t j = 0; inner.ok() && j < local_names_count; j++) {
           uint32_t length = inner.consume_u32v("string length");
           inner.consume_bytes(length, "string");
         }

test/unittests/wasm/module-decoder-unittest.cc

@@ -1461,6 +1461,25 @@ TEST_F(WasmModuleVerifyTest, Names_two_empty) {
   EXPECT_VERIFIES(data);
 }
 
+TEST_F(WasmModuleVerifyTest, Regression684855) {
+  static const byte data[] = {
+      SECTION_NAMES(12),
+      0xfb,  // functions count
+      0x27,  // |
+      0x00,  // function name length
+      0xff,  // local names count
+      0xff,  // |
+      0xff,  // |
+      0xff,  // |
+      0xff,  // |
+      0xff,  // error: "varint too large"
+      0xff,  // |
+      0x00,  // --
+      0x00   // --
+  };
+  EXPECT_VERIFIES(data);
+}
+
 #define EXPECT_INIT_EXPR(Type, type, value, ...)                 \
   {                                                              \
     static const byte data[] = {__VA_ARGS__, kExprEnd};          \