Fix issue of wasm/aot file malformed format (#853)

Fix possible integer overflow unchecked issue when checking wasm/aot file format.
2025-09-07 02:11:06 +00:00 · 2021-11-30 20:47:42 +08:00 · 2021-11-30 20:47:42 +08:00 · 212810bc2f
commit 212810bc2f
parent 8d1c56bda4
3 changed files with 10 additions and 14 deletions
--- a/core/iwasm/aot/aot_loader.c
+++ b/core/iwasm/aot/aot_loader.c
@ -90,7 +90,7 @@ static bool
 check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length,
          char *error_buf, uint32 error_buf_size)
 {
-    if (buf + length > buf_end) {
+    if (buf + length < buf || buf + length > buf_end) {
        set_error_buf(error_buf, error_buf_size, "unexpect end");
        return false;
    }
--- a/core/iwasm/interpreter/wasm_loader.c
+++ b/core/iwasm/interpreter/wasm_loader.c
@ -47,7 +47,7 @@ static bool
 check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length,
          char *error_buf, uint32 error_buf_size)
 {
-    if (buf + length > buf_end) {
+    if (buf + length < buf || buf + length > buf_end) {
        set_error_buf(error_buf, error_buf_size,
                      "unexpected end of section or function");
        return false;
@ -59,7 +59,7 @@ static bool
 check_buf1(const uint8 *buf, const uint8 *buf_end, uint32 length,
           char *error_buf, uint32 error_buf_size)
 {
-    if (buf + length > buf_end) {
+    if (buf + length < buf || buf + length > buf_end) {
        set_error_buf(error_buf, error_buf_size, "unexpected end");
        return false;
    }
@ -1034,7 +1034,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end,
    bool linked_call_conv_raw = false;
    bool is_native_symbol = false;
    CHECK_BUF(p, p_end, 1);
    read_leb_uint32(p, p_end, declare_type_index);
    *p_buf = p;
@ -3335,7 +3334,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list,
                }
                last_section_index = section_index;
            }
            CHECK_BUF1(p, p_end, 1);
            read_leb_uint32(p, p_end, section_size);
            CHECK_BUF1(p, p_end, section_size);
--- a/core/iwasm/interpreter/wasm_mini_loader.c
+++ b/core/iwasm/interpreter/wasm_mini_loader.c
@ -25,14 +25,14 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string)
                 string);
 }
-#define CHECK_BUF(buf, buf_end, length)     \
+#define CHECK_BUF(buf, buf_end, length)                            \
-    do {                                    \
+    do {                                                           \
-        bh_assert(buf + length <= buf_end); \
+        bh_assert(buf + length >= buf && buf + length <= buf_end); \
    } while (0)
-#define CHECK_BUF1(buf, buf_end, length)    \
+#define CHECK_BUF1(buf, buf_end, length)                           \
-    do {                                    \
+    do {                                                           \
-        bh_assert(buf + length <= buf_end); \
+        bh_assert(buf + length >= buf && buf + length <= buf_end); \
    } while (0)
 #define skip_leb(p) while (*p++ & 0x80)
@ -45,7 +45,7 @@ is_32bit_type(uint8 type)
 {
    if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
 #if WASM_ENABLE_REF_TYPES != 0
-        || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF)
+        || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
 #endif
    )
        return true;
@ -412,7 +412,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end,
    void *linked_attachment = NULL;
    bool linked_call_conv_raw = false;
    CHECK_BUF(p, p_end, 1);
    read_leb_uint32(p, p_end, declare_type_index);
    *p_buf = p;
@ -2232,7 +2231,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list,
                          || last_section_index < section_index);
                last_section_index = section_index;
            }
            CHECK_BUF1(p, p_end, 1);
            read_leb_uint32(p, p_end, section_size);
            CHECK_BUF1(p, p_end, section_size);