[wasm] Avoid constructing OOB WireBytesRef

The {WireBytesRef} constructor checks that {offset + length} does not
overflow. Hence we need to check for illegal sizes before constructing
the {WireBytesRef}.

The {consume_bytes} function already does that, so remove the
redundant hand-written checking.

R=titzer@chromium.org

Bug: chromium:752781
Change-Id: If3a2946a62fa38cc668695ed7186b9751a1f356f
Reviewed-on: https://chromium-review.googlesource.com/605894
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47563}

src/wasm/module-decoder.cc

@@ -960,29 +960,17 @@ class ModuleDecoder : public Decoder {
     }
   }
 
-  bool IsWithinLimit(uint32_t limit, uint32_t offset, uint32_t size) {
-    if (offset > limit) return false;
-    if ((offset + size) < offset) return false;  // overflow
-    return (offset + size) <= limit;
-  }
-
   // Decodes a single data segment entry inside a module starting at {pc_}.
   void DecodeDataSegmentInModule(WasmModule* module, WasmDataSegment* segment) {
-    const byte* start = pc_;
     expect_u8("linear memory index", 0);
     segment->dest_addr = consume_init_expr(module, kWasmI32);
     uint32_t source_length = consume_u32v("source size");
     uint32_t source_offset = pc_offset();
-    segment->source = {source_offset, source_length};
 
-    // Validate the data is in the decoder buffer.
-    uint32_t limit = static_cast<uint32_t>(end_ - start_);
-    if (!IsWithinLimit(limit, GetBufferRelativeOffset(segment->source.offset()),
-                       segment->source.length())) {
-      error(start, "segment out of bounds of the section");
-    }
+    consume_bytes(source_length, "segment data");
+    if (failed()) return;
 
-    consume_bytes(segment->source.length(), "segment data");
+    segment->source = {source_offset, source_length};
   }
 
   // Calculate individual global offsets and total size of globals table.

test/unittests/wasm/module-decoder-unittest.cc

@@ -711,6 +711,20 @@ TEST_F(WasmModuleVerifyTest, DataSegment_wrong_init_type) {
   EXPECT_FAILURE(data);
 }
 
+TEST_F(WasmModuleVerifyTest, DataSegmentEndOverflow) {
+  const byte data[] = {
+      SECTION(Memory, 4),  // memory section
+      ENTRY_COUNT(1),           kResizableMaximumFlag, 28, 28,
+      SECTION(Data, 10),         // data section
+      ENTRY_COUNT(1),            // one entry
+      LINEAR_MEMORY_INDEX_0,     // mem index
+      WASM_INIT_EXPR_I32V_1(0),  // offset
+      U32V_5(0xffffffff)         // size
+  };
+
+  EXPECT_FAILURE(data);
+}
+
 TEST_F(WasmModuleVerifyTest, OneIndirectFunction) {
   static const byte data[] = {
       // sig#0 ---------------------------------------------------------------