[DebugInfo] Add bounds check to source map VLQ decoder shift (#8331)

- `readBase64VLQ()` increments `shift` by 5 for each continuation digit
with no upper bound.
- After 7 continuation digits, `shift` reaches 35 and `digit << shift`
on a `uint32_t` is undefined behavior (shifting by >= type width).
- Added a bounds check after incrementing `shift`, throwing
`MapParseException` for malformed VLQ values with too many continuation
digits.

Author: sumleo

src/wasm/source-map.cpp

@@ -196,6 +196,9 @@ int32_t SourceMapReader::readBase64VLQ() {
       ch > '9' ? ch - 'g' : (ch >= '0' ? ch - '0' + 20 : (ch == '+' ? 30 : 31));
     value |= digit << shift;
     shift += 5;
+    if (shift >= 32) {
+      throw MapParseException("VLQ value too large");
+    }
   }
   return value & 1 ? -int32_t(value >> 1) : int32_t(value >> 1);
 }

test/gtest/source-map.cpp

@@ -129,6 +129,18 @@ TEST_F(SourceMapTest, BadSourceMaps) {
   // Mapping strings are parsed incrementally, so errors don't show up until a
   // sufficiently far-advanced location is requested to reach the problem.
   EXPECT_THROW(reader->readDebugLocationAt(1), MapParseException);
+
+  // VLQ with too many continuation digits. 7 continuation characters ('g')
+  // push the shift to 35, exceeding the uint32_t width. This is a malformed
+  // VLQ that should be rejected rather than causing undefined behavior.
+  sourceMap = R"(
+    {
+      "version": 3,
+      "sources": ["foo.c"],
+      "mappings": "gggggggA"
+    }
+  )";
+  ExpectParseError(sourceMap, "VLQ value too large");
 }
 
 TEST_F(SourceMapTest, SourcesAndNames) {