From 308592969ccf7ed8dbd74e2f4e6c719f412e6998 Mon Sep 17 00:00:00 2001
From: Diego <96022404+dzfrias@users.noreply.github.com>
Date: Sat, 1 Jun 2024 13:16:49 -0700
Subject: [PATCH] LibWasm: Properly check table bounds in element instantiation

Offset is now checked using saturating addition to avoid overflow. This
prevents a crash in the VM during instantiation.
---
 .../LibWasm/AbstractMachine/AbstractMachine.cpp        | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp b/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
index feb00aae3f..73d46f8d84 100644
--- a/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
+++ b/Userland/Libraries/LibWasm/AbstractMachine/AbstractMachine.cpp
@@ -282,16 +282,14 @@ InstantiationResult AbstractMachine::instantiate(Module const& module, Vector<Ex
                 return IterationDecision::Break;
             }
 
-            auto total_required_size = elem_instance->references().size() + d.value();
+            Checked<size_t> total_size = elem_instance->references().size();
+            total_size.saturating_add(d.value());
 
-            if (table_instance->type().limits().max().value_or(total_required_size) < total_required_size) {
-                instantiation_result = InstantiationError { "Table limit overflow in active element segment" };
+            if (total_size.value() > table_instance->elements().size()) {
+                instantiation_result = InstantiationError { "Table instantiation out of bounds" };
                 return IterationDecision::Break;
             }
 
-            if (table_instance->elements().size() < total_required_size)
-                table_instance->elements().resize(total_required_size);
-
             size_t i = 0;
             for (auto it = elem_instance->references().begin(); it < elem_instance->references().end(); ++i, ++it) {
                 table_instance->elements()[i + d.value()] = *it;