From 9801c681ce1bdceff9e7a2f1b6ef5a9fd4b94d43 Mon Sep 17 00:00:00 2001
From: Peter Huene <peter@huene.dev>
Date: Fri, 5 Mar 2021 18:05:02 -0800
Subject: [PATCH] Fail module translation for segments with overflowing
 offset+length.

This commit fails translation of modules that have an segment offset, when
added to the data length, overflows.
---
 cranelift/wasm/src/sections_translator.rs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cranelift/wasm/src/sections_translator.rs b/cranelift/wasm/src/sections_translator.rs
index 3906c02393..a674658358 100644
--- a/cranelift/wasm/src/sections_translator.rs
+++ b/cranelift/wasm/src/sections_translator.rs
@@ -401,6 +401,12 @@ pub fn parse_element_section<'data>(
                         ));
                     }
                 };
+                // Check for offset + len overflow
+                if offset.checked_add(segments.len()).is_none() {
+                    return Err(wasm_unsupported!(
+                        "element segment offset and length overflows"
+                    ));
+                }
                 environ.declare_table_elements(
                     TableIndex::from_u32(table_index),
                     base,
@@ -447,6 +453,12 @@ pub fn parse_data_section<'data>(
                         ))
                     }
                 };
+                // Check for offset + len overflow
+                if offset.checked_add(data.len()).is_none() {
+                    return Err(wasm_unsupported!(
+                        "data segment offset and length overflows"
+                    ));
+                }
                 environ.declare_data_initialization(
                     MemoryIndex::from_u32(memory_index),
                     base,