Index: llvm/trunk/lib/Object/WasmObjectFile.cpp
===================================================================
--- llvm/trunk/lib/Object/WasmObjectFile.cpp
+++ llvm/trunk/lib/Object/WasmObjectFile.cpp
@@ -670,8 +670,13 @@
 Error WasmObjectFile::parseFunctionSection(const uint8_t *Ptr, const uint8_t *End) {
   uint32_t Count = readVaruint32(Ptr);
   FunctionTypes.reserve(Count);
+  uint32_t NumTypes = Signatures.size();
   while (Count--) {
-    FunctionTypes.push_back(readVaruint32(Ptr));
+    uint32_t Type = readVaruint32(Ptr);
+    if (Type >= NumTypes)
+      return make_error<GenericBinaryError>("Invalid function type",
+                                            object_error::parse_failed);
+    FunctionTypes.push_back(Type);
   }
   if (Ptr != End)
     return make_error<GenericBinaryError>("Function section ended prematurely",
Index: llvm/trunk/test/ObjectYAML/wasm/export_section.yaml
===================================================================
--- llvm/trunk/test/ObjectYAML/wasm/export_section.yaml
+++ llvm/trunk/test/ObjectYAML/wasm/export_section.yaml
@@ -3,6 +3,11 @@
 FileHeader:
   Version:         0x00000001
 Sections:
+  - Type:            TYPE
+    Signatures:
+      - Index:           0
+        ReturnType:      NORESULT
+        ParamTypes:
   - Type:            FUNCTION
     FunctionTypes: [ 0, 0 ]
   - Type:            GLOBAL
Index: llvm/trunk/test/ObjectYAML/wasm/function_section.yaml
===================================================================
--- llvm/trunk/test/ObjectYAML/wasm/function_section.yaml
+++ llvm/trunk/test/ObjectYAML/wasm/function_section.yaml
@@ -3,6 +3,15 @@
 FileHeader:
   Version:         0x00000001
 Sections:
+  - Type:            TYPE
+    Signatures:
+      - Index:           0
+        ReturnType:      NORESULT
+        ParamTypes:
+      - Index:           1
+        ReturnType:      NORESULT
+        ParamTypes:
+          - I32
   - Type:            FUNCTION
     FunctionTypes: [ 1, 0 ]
 ...