[Backport] CVE-2024-2887: Type Confusion in WebAssembly

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5380190:
Merged: [wasm] Check for type-definition count limit

(cherry picked from commit b852ad701db21d6db5b34e66f4ec1cdccd2ec4d4)

Bug: chromium:330575498
Change-Id: I395f0ed6d823b7d1e139da6551486e3627d65724
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378419
Commit-Queue: Jakob Kummerow <[email protected]>
Reviewed-by: Jakob Kummerow <[email protected]>
Auto-Submit: Manos Koukoutos <[email protected]>
Cr-Original-Commit-Position: refs/heads/main@{#92941}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5380190
Reviewed-by: Francis McCabe <[email protected]>
Commit-Queue: Adam Klein <[email protected]>
Reviewed-by: Adam Klein <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#50}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553298
Reviewed-by: Michal Klocek <[email protected]>

Author: manoskouk

chromium/v8/src/wasm/module-decoder-impl.h

@@ -675,6 +675,11 @@ class ModuleDecoderImpl : public Decoder {
         }
       } else {
         if (tracer_) tracer_->TypeOffset(pc_offset());
+        if (initial_size + 1 > kV8MaxWasmTypes) {
+          errorf(pc(), "Type definition count exceeds maximum %zu",
+                 kV8MaxWasmTypes);
+          return;
+        }
         // Similarly to above, we need to resize types for a group of size 1.
         module_->types.resize(initial_size + 1);
         module_->isorecursive_canonical_type_ids.resize(initial_size + 1);