[wasm] Do proper bounds checking in the wasm interpreter for grow memory.

R=titzer@chromium.org

BUG=chromium:647027

Review-Url: https://codereview.chromium.org/2344853002
Cr-Commit-Position: refs/heads/master@{#39440}

src/wasm/wasm-interpreter.cc

@@ -658,6 +658,9 @@ static inline int32_t ExecuteGrowMemory(uint32_t delta_pages,
                                         WasmModuleInstance* instance) {
   // TODO(ahaas): Move memory allocation to wasm-module.cc for better
   // encapsulation.
+  if (delta_pages > wasm::WasmModule::kMaxMemPages) {
+    return -1;
+  }
   uint32_t old_size = instance->mem_size;
   uint32_t new_size;
   byte* new_mem_start;

test/cctest/wasm/test-run-wasm-interpreter.cc

@@ -306,6 +306,25 @@ TEST(GrowMemoryPreservesData) {
                       WASM_LOAD_MEM(MachineType::Int32(), WASM_I32V(index))));
   CHECK_EQ(value, r.Call(1));
 }
+
+TEST(GrowMemoryInvalidSize) {
+  {
+    // Grow memory by an invalid amount without initial memory.
+    TestingModule module(kExecuteInterpreted);
+    WasmRunner<int32_t> r(&module, MachineType::Uint32());
+    BUILD(r, WASM_BLOCK(WASM_GROW_MEMORY(WASM_GET_LOCAL(0))));
+    CHECK_EQ(-1, r.Call(1048575));
+  }
+  {
+    // Grow memory by an invalid amount without initial memory.
+    TestingModule module(kExecuteInterpreted);
+    WasmRunner<int32_t> r(&module, MachineType::Uint32());
+    module.AddMemory(WasmModule::kPageSize);
+    BUILD(r, WASM_BLOCK(WASM_GROW_MEMORY(WASM_GET_LOCAL(0))));
+    CHECK_EQ(-1, r.Call(1048575));
+  }
+}
+
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8