From b8329c34d618f901e4c4a27586833d7e1777371f Mon Sep 17 00:00:00 2001
From: Benjamin Bouvier <benj@benj.me>
Date: Tue, 9 May 2017 18:33:40 +0200
Subject: [PATCH] Bug 1363431: wasm: Check for maximum br_table size; r=luke

MozReview-Commit-ID: 2Q2pWi5NSn7

--HG--
extra : rebase_source : a778197f93e3ea208e3d0bf067254e37aca6fa9f
---
 js/src/wasm/WasmBinaryIterator.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/js/src/wasm/WasmBinaryIterator.h b/js/src/wasm/WasmBinaryIterator.h
index e887e9b2e5f2..d1666b7878cd 100644
--- a/js/src/wasm/WasmBinaryIterator.h
+++ b/js/src/wasm/WasmBinaryIterator.h
@@ -1081,6 +1081,9 @@ OpIter<Policy>::readBrTable(Uint32Vector* depths, uint32_t* defaultDepth,
     if (!readVarU32(&tableLength))
         return fail("unable to read br_table table length");
 
+    if (tableLength > MaxBrTableElems)
+        return fail("br_table too big");
+
     if (!popWithType(ValType::I32, index))
         return false;