From feecaf602e68124f9916ecdd6218d50ce917f6a4 Mon Sep 17 00:00:00 2001 From: Zhenwei Jin <109658203+kylo5aby@users.noreply.github.com> Date: Wed, 13 Aug 2025 08:17:42 +0800 Subject: [PATCH] add bounds checking to prevent ref_type_map_count (#4548) Signed-off-by: zhenweijin --- core/iwasm/interpreter/wasm_loader.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c index 6139167f6..e89e91e0d 100644 --- a/core/iwasm/interpreter/wasm_loader.c +++ b/core/iwasm/interpreter/wasm_loader.c @@ -1799,6 +1799,11 @@ resolve_func_type(const uint8 **p_buf, const uint8 *buf_end, WASMModule *module, return false; } if (ref_type_map_count > 0) { + if (ref_type_map_count > UINT16_MAX) { + set_error_buf(error_buf, error_buf_size, + "ref type count too large"); + return false; + } total_size = sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count; if (!(type->ref_type_maps = loader_malloc(total_size, error_buf, error_buf_size))) { @@ -1938,6 +1943,11 @@ resolve_struct_type(const uint8 **p_buf, const uint8 *buf_end, return false; } if (ref_type_map_count > 0) { + if (ref_type_map_count > UINT16_MAX) { + set_error_buf(error_buf, error_buf_size, + "ref type count too large"); + return false; + } total_size = sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count; if (!(type->ref_type_maps = loader_malloc(total_size, error_buf, error_buf_size))) { @@ -3957,6 +3967,11 @@ load_function_section(const uint8 *buf, const uint8 *buf_end, } #if WASM_ENABLE_GC != 0 if (ref_type_map_count > 0) { + if (ref_type_map_count > UINT16_MAX) { + set_error_buf(error_buf, error_buf_size, + "ref type count too large"); + return false; + } total_size = sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count; if (!(func->local_ref_type_maps = loader_malloc(