[wasm][bug] Fix global.get in element segments

We used to verify its index as if it was a function index.

Bug: chromium:1210447

Change-Id: I5e015b1b11b22b6b7e7e13dac4945f8eb6f3d846
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2903153Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74649}

src/wasm/module-decoder.cc

@@ -2218,8 +2218,12 @@ class ModuleDecoderImpl : public Decoder {
               kExprGlobalGet);
           return {};
         }
-        uint32_t index = consume_element_func_index();
+        uint32_t index = this->consume_u32v("global index");
         if (failed()) return {};
+        if (index >= module_->globals.size()) {
+          errorf("Out-of-bounds global index %d", index);
+          return {};
+        }
         expect_u8("end opcode", kExprEnd);
         return WasmInitExpr::GlobalGet(index);
       }

test/unittests/wasm/module-decoder-unittest.cc

@@ -1905,6 +1905,17 @@ TEST_F(WasmModuleVerifyTest, ElementSectionDontInitExternRefImportedTable) {
   EXPECT_FAILURE(data);
 }
 
+TEST_F(WasmModuleVerifyTest, ElementSectionGlobalGetOutOfBounds) {
+  WASM_FEATURE_SCOPE(reftypes);
+  static const byte data[] = {
+      SECTION(Element, ENTRY_COUNT(1),
+              0x05,            // Mode: Passive with expressions-as-elements
+              kFuncRefCode,    // type
+              ENTRY_COUNT(1),  // element count
+              kExprGlobalGet, 0x00, kExprEnd)};  // init. expression
+  EXPECT_FAILURE_WITH_MSG(data, "Out-of-bounds global index 0");
+}
+
 TEST_F(WasmModuleVerifyTest, IndirectFunctionNoFunctions) {
   static const byte data[] = {
       // sig#0 -------------------------------------------------------