diff --git a/core/iwasm/aot/aot_loader.c b/core/iwasm/aot/aot_loader.c index f274471f3..9d1129b8d 100644 --- a/core/iwasm/aot/aot_loader.c +++ b/core/iwasm/aot/aot_loader.c @@ -1730,6 +1730,12 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module, (void)u8; read_uint32(buf, buf_end, j); +#if WASM_ENABLE_AOT_VALIDATOR != 0 + if (j >= module->type_count) { + set_error_buf(error_buf, error_buf_size, "invalid type index"); + goto fail; + } +#endif if (module->types[j]->ref_count == UINT16_MAX) { set_error_buf(error_buf, error_buf_size, "wasm type's ref count too large"); @@ -1993,6 +1999,13 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module, AOTType *cur_type = module->types[j]; parent_type_idx = cur_type->parent_type_idx; if (parent_type_idx != (uint32)-1) { /* has parent */ +#if WASM_ENABLE_AOT_VALIDATOR != 0 + if (parent_type_idx >= module->type_count) { + set_error_buf(error_buf, error_buf_size, + "invalid parent type index"); + goto fail; + } +#endif AOTType *parent_type = module->types[parent_type_idx]; module->types[j]->parent_type = parent_type; @@ -2016,6 +2029,13 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module, AOTType *cur_type = module->types[j]; parent_type_idx = cur_type->parent_type_idx; if (parent_type_idx != (uint32)-1) { /* has parent */ +#if WASM_ENABLE_AOT_VALIDATOR != 0 + if (parent_type_idx >= module->type_count) { + set_error_buf(error_buf, error_buf_size, + "invalid parent type index"); + goto fail; + } +#endif AOTType *parent_type = module->types[parent_type_idx]; /* subtyping has been checked during compilation */ bh_assert(wasm_type_is_subtype_of(