loader: add type index checking (#4402)

2025-09-05 17:32:26 +00:00 · 2025-06-24 20:38:39 +08:00 · 2025-06-24 20:38:39 +08:00 · 1e41519977
commit 1e41519977
parent e414a327a0
1 changed files with 20 additions and 0 deletions
--- a/core/iwasm/aot/aot_loader.c
+++ b/core/iwasm/aot/aot_loader.c
@ -1730,6 +1730,12 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
            (void)u8;

            read_uint32(buf, buf_end, j);
+#if WASM_ENABLE_AOT_VALIDATOR != 0
+            if (j >= module->type_count) {
+                set_error_buf(error_buf, error_buf_size, "invalid type index");
+                goto fail;
+            }
+#endif
            if (module->types[j]->ref_count == UINT16_MAX) {
                set_error_buf(error_buf, error_buf_size,
                              "wasm type's ref count too large");
@ -1993,6 +1999,13 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
                AOTType *cur_type = module->types[j];
                parent_type_idx = cur_type->parent_type_idx;
                if (parent_type_idx != (uint32)-1) { /* has parent */
+#if WASM_ENABLE_AOT_VALIDATOR != 0
+                    if (parent_type_idx >= module->type_count) {
+                        set_error_buf(error_buf, error_buf_size,
+                                      "invalid parent type index");
+                        goto fail;
+                    }
+#endif
                    AOTType *parent_type = module->types[parent_type_idx];

                    module->types[j]->parent_type = parent_type;
@ -2016,6 +2029,13 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
                AOTType *cur_type = module->types[j];
                parent_type_idx = cur_type->parent_type_idx;
                if (parent_type_idx != (uint32)-1) { /* has parent */
+#if WASM_ENABLE_AOT_VALIDATOR != 0
+                    if (parent_type_idx >= module->type_count) {
+                        set_error_buf(error_buf, error_buf_size,
+                                      "invalid parent type index");
+                        goto fail;
+                    }
+#endif
                    AOTType *parent_type = module->types[parent_type_idx];
                    /* subtyping has been checked during compilation */
                    bh_assert(wasm_type_is_subtype_of(