From 174159a552959f739546eca550de28520bee1172 Mon Sep 17 00:00:00 2001
From: Nick Fitzgerald <fitzgen@gmail.com>
Date: Thu, 6 Aug 2020 15:56:19 -0700
Subject: [PATCH 1/2] Bump `wast` to version 22.0.0 in peepmatic crates

---
 Cargo.lock                                     | 18 +++++++++---------
 cranelift/codegen/Cargo.toml                   |  2 +-
 cranelift/peepmatic/Cargo.toml                 |  2 +-
 cranelift/peepmatic/crates/fuzzing/Cargo.toml  |  2 +-
 cranelift/peepmatic/crates/runtime/Cargo.toml  |  2 +-
 .../peepmatic/crates/test-operator/Cargo.toml  |  2 +-
 6 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 0f85a443b7..dc4d2d228e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -392,7 +392,7 @@ dependencies = [
  "smallvec",
  "target-lexicon",
  "thiserror",
- "wast 15.0.0",
+ "wast 22.0.0",
 ]
 
 [[package]]
@@ -1303,7 +1303,7 @@ dependencies = [
  "peepmatic-test-operator",
  "peepmatic-traits",
  "serde",
- "wast 15.0.0",
+ "wast 22.0.0",
  "z3",
 ]
 
@@ -1331,7 +1331,7 @@ dependencies = [
  "peepmatic-traits",
  "rand 0.7.3",
  "serde",
- "wast 15.0.0",
+ "wast 22.0.0",
 ]
 
 [[package]]
@@ -1356,7 +1356,7 @@ dependencies = [
  "serde",
  "serde_test",
  "thiserror",
- "wast 15.0.0",
+ "wast 22.0.0",
 ]
 
 [[package]]
@@ -1377,7 +1377,7 @@ version = "0.66.0"
 dependencies = [
  "peepmatic-traits",
  "serde",
- "wast 15.0.0",
+ "wast 22.0.0",
 ]
 
 [[package]]
@@ -2667,18 +2667,18 @@ dependencies = [
 
 [[package]]
 name = "wast"
-version = "15.0.0"
+version = "21.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a10df5277f68adee65bba117b40235f07a4cb3d59e5ec9aa86dbee180fb1bc04"
+checksum = "0b1844f66a2bc8526d71690104c0e78a8e59ffa1597b7245769d174ebb91deb5"
 dependencies = [
  "leb128",
 ]
 
 [[package]]
 name = "wast"
-version = "21.0.0"
+version = "22.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b1844f66a2bc8526d71690104c0e78a8e59ffa1597b7245769d174ebb91deb5"
+checksum = "fe1220ed7f824992b426a76125a3403d048eaf0f627918e97ade0d9b9d510d20"
 dependencies = [
  "leb128",
 ]
diff --git a/cranelift/codegen/Cargo.toml b/cranelift/codegen/Cargo.toml
index 26980ed56b..976e88b137 100644
--- a/cranelift/codegen/Cargo.toml
+++ b/cranelift/codegen/Cargo.toml
@@ -29,7 +29,7 @@ peepmatic = { path = "../peepmatic", optional = true, version = "0.66.0" }
 peepmatic-traits = { path = "../peepmatic/crates/traits", optional = true, version = "0.66.0" }
 peepmatic-runtime = { path = "../peepmatic/crates/runtime", optional = true, version = "0.66.0" }
 regalloc = "0.0.28"
-wast = { version = "15.0.0", optional = true }
+wast = { version = "22.0.0", optional = true }
 # It is a goal of the cranelift-codegen crate to have minimal external dependencies.
 # Please don't add any unless they are essential to the task of creating binary
 # machine code. Integration tests that need external dependencies can be
diff --git a/cranelift/peepmatic/Cargo.toml b/cranelift/peepmatic/Cargo.toml
index c9644ec17b..987ac27763 100644
--- a/cranelift/peepmatic/Cargo.toml
+++ b/cranelift/peepmatic/Cargo.toml
@@ -15,7 +15,7 @@ peepmatic-macro = { version = "0.66.0", path = "crates/macro" }
 peepmatic-runtime = { version = "0.66.0", path = "crates/runtime", features = ["construct"] }
 peepmatic-traits = { version = "0.66.0", path = "crates/traits" }
 serde = { version = "1.0.105", features = ["derive"] }
-wast = "15.0.0"
+wast = "22.0.0"
 z3 = { version = "0.6.0", features = ["static-link-z3"] }
 
 [dev-dependencies]
diff --git a/cranelift/peepmatic/crates/fuzzing/Cargo.toml b/cranelift/peepmatic/crates/fuzzing/Cargo.toml
index a09911719e..763ab4e737 100644
--- a/cranelift/peepmatic/crates/fuzzing/Cargo.toml
+++ b/cranelift/peepmatic/crates/fuzzing/Cargo.toml
@@ -21,4 +21,4 @@ peepmatic-test-operator = { path = "../test-operator" }
 peepmatic-traits = { path = "../traits" }
 rand = { version = "0.7.3", features = ["small_rng"] }
 serde = "1.0.106"
-wast = "15.0.0"
+wast = "22.0.0"
diff --git a/cranelift/peepmatic/crates/runtime/Cargo.toml b/cranelift/peepmatic/crates/runtime/Cargo.toml
index 7432a34834..4b76d0716d 100644
--- a/cranelift/peepmatic/crates/runtime/Cargo.toml
+++ b/cranelift/peepmatic/crates/runtime/Cargo.toml
@@ -16,7 +16,7 @@ peepmatic-automata = { version = "0.66.0", path = "../automata", features = ["se
 peepmatic-traits = { version = "0.66.0", path = "../traits" }
 serde = { version = "1.0.105", features = ["derive"] }
 thiserror = "1.0.15"
-wast = { version = "15.0.0", optional = true }
+wast = { version = "22.0.0", optional = true }
 
 [dev-dependencies]
 peepmatic-test-operator = { version = "0.66.0", path = "../test-operator" }
diff --git a/cranelift/peepmatic/crates/test-operator/Cargo.toml b/cranelift/peepmatic/crates/test-operator/Cargo.toml
index 27df2e6c1e..4140407488 100644
--- a/cranelift/peepmatic/crates/test-operator/Cargo.toml
+++ b/cranelift/peepmatic/crates/test-operator/Cargo.toml
@@ -9,4 +9,4 @@ edition = "2018"
 [dependencies]
 peepmatic-traits = { version = "0.66.0", path = "../traits" }
 serde = { version = "1.0.105", features = ["derive"] }
-wast = "15.0.0"
+wast = "22.0.0"

From aad086899c59539e1a783e05b492a6d31941c306 Mon Sep 17 00:00:00 2001
From: Nick Fitzgerald <fitzgen@gmail.com>
Date: Thu, 6 Aug 2020 16:03:16 -0700
Subject: [PATCH 2/2] peepmatic: Implement maximum nesting level in parser

So that we don't blow the stack.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24705
---
 cranelift/peepmatic/src/parser.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cranelift/peepmatic/src/parser.rs b/cranelift/peepmatic/src/parser.rs
index 95a84c9433..fae87f8974 100644
--- a/cranelift/peepmatic/src/parser.rs
+++ b/cranelift/peepmatic/src/parser.rs
@@ -429,6 +429,13 @@ where
     DynAstRef<'a, TOperator>: From<&'a TOperand>,
 {
     fn parse(p: Parser<'a>) -> ParseResult<Self> {
+        // Don't blow the stack with this recursive parser. We don't expect
+        // nesting to ever get very deep, so it isn't worth refactoring this
+        // code to be non-recursive.
+        if p.parens_depth() > 25 {
+            return Err(p.error("module nesting too deep"));
+        }
+
         let span = p.cur_span();
         p.parens(|p| {
             let operator = p.parse()?;
@@ -816,6 +823,9 @@ mod test {
                 "$var",
                 "$CONST",
                 "(ishl $x $(log2 $C))",
+
+                // Nesting too deep.
+                "(iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd (iadd))))))))))))))))))))))))))))))))))))))))))))))))))",
             }
         }
         parse_operation_rhs<Operation<TestOperator, Rhs<TestOperator>>> {