From d42eb6cc54d3957c0635c2ac81e9e60833cb6858 Mon Sep 17 00:00:00 2001
From: VoltVoks <39782935+VoltVoks@users.noreply.github.com>
Date: Thu, 21 May 2026 16:26:38 -0700
Subject: [PATCH] Validate source map source indices

---
 src/source_map.cc                             | 15 ++++++++++---
 .../wasm/sourcemap_invalid_source_index.test  | 21 +++++++++++++++++++
 2 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 tests/wasm/sourcemap_invalid_source_index.test

diff --git a/src/source_map.cc b/src/source_map.cc
index f727b647..e2b1ae9e 100644
--- a/src/source_map.cc
+++ b/src/source_map.cc
@@ -108,6 +108,15 @@ static int ReadBase64VLQSegment(std::string_view* data, int32_t (&values)[5]) {
   THROW("Unterminated Base64VLQ segment");
 }
 
+static std::string_view GetSourceFile(
+    const std::vector<std::string_view>& sources, int64_t source_file) {
+  if (source_file < 0 ||
+      static_cast<size_t>(source_file) >= sources.size()) {
+    THROW("source map source file index out of range");
+  }
+  return sources[source_file];
+}
+
 class VlqSegment {
  public:
   int32_t col;
@@ -149,7 +158,7 @@ void ForEachVLQSegment(std::string_view* data,
     THROW("Source file info expected in first VLQ segment");
   }
   int32_t col = values[0];
-  int32_t source_file = values[1];
+  int64_t source_file = values[1];
   int32_t source_line = values[2];
   int32_t source_col = values[3];
 
@@ -167,7 +176,8 @@ void ForEachVLQSegment(std::string_view* data,
     int new_values_count = ReadBase64VLQSegment(data, values);
     if (values_count >= 4) {
       segment_func(VlqSegment(col, values[0],
-                              sources[source_file], source_line, source_col));
+                              GetSourceFile(sources, source_file), source_line,
+                              source_col));
     }
     values_count = new_values_count;
     col += values[0];
@@ -236,4 +246,3 @@ std::unique_ptr<ObjectFile> TryOpenSourceMapFile(
 }
 
 }  // namespace bloaty
-
diff --git a/tests/wasm/sourcemap_invalid_source_index.test b/tests/wasm/sourcemap_invalid_source_index.test
new file mode 100644
index 00000000..b08d8a49
--- /dev/null
+++ b/tests/wasm/sourcemap_invalid_source_index.test
@@ -0,0 +1,21 @@
+# RUN: %yaml2obj %s -o %t.obj
+# RUN: echo "{\"version\":3,\"sources\":[\"a.js\",\"b.js\"],\"mappings\":\"AACA,AgxTAA,AAAA\"}" > %t.map
+# RUN: not %bloaty --raw-map %t.obj --source-map=./sourcemap.wasm.map=%t.map -d compileunits 2>&1 | %FileCheck %s
+
+# CHECK: bloaty: source map source file index out of range
+
+--- !WASM
+FileHeader:
+  Version:         0x1
+Sections:
+  - Type:            CODE
+    Functions:
+      - Index:           0
+        Locals:
+          - Type:            I32
+            Count:           1
+        Body:            41000B
+  - Type:            CUSTOM
+    Name:            sourceMappingURL
+    # ./sourcemap.wasm.map
+    Payload:         142E2F736F757263656D61702E7761736D2E6D6170