From ab2ff4a56d0000755e961503aa1a728c95256875 Mon Sep 17 00:00:00 2001
From: Zhenwei Jin <109658203+kylo5aby@users.noreply.github.com>
Date: Tue, 19 Aug 2025 08:53:37 +0800
Subject: [PATCH] add rec idx and rec count validation in aot loader (#4555)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>
---
 core/iwasm/aot/aot_loader.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/core/iwasm/aot/aot_loader.c b/core/iwasm/aot/aot_loader.c
index b36d5aa3a..1138f667e 100644
--- a/core/iwasm/aot/aot_loader.c
+++ b/core/iwasm/aot/aot_loader.c
@@ -1807,8 +1807,12 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
         read_uint16(buf, buf_end, rec_count);
         read_uint16(buf, buf_end, rec_idx);
 #if WASM_ENABLE_AOT_VALIDATOR != 0
-        if (rec_idx > i) {
-            set_error_buf(error_buf, error_buf_size, "invalid rec_idx");
+        if (rec_count > module->type_count) {
+            set_error_buf(error_buf, error_buf_size, "invalid rec count");
+            goto fail;
+        }
+        if (rec_idx > i || rec_idx >= rec_count) {
+            set_error_buf(error_buf, error_buf_size, "invalid rec idx");
             goto fail;
         }
         if (parent_type_idx >= i) {