gnh1201/wasm-micro-runtime
1
0
Fork 0
mirror of https://github.com/bytecodealliance/wasm-micro-runtime.git synced 2025-09-06 09:51:27 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

add bounds checking to prevent ref_type_map_count (#4548)

Browse Source 
Signed-off-by: zhenweijin <zhenwei.jin@intel.com>
This commit is contained in:
Zhenwei Jin 2025-08-13 08:17:42 +08:00 committed by GitHub
parent c9bfdbe4c4
commit feecaf602e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
core/iwasm/interpreter/wasm_loader.c
View File

@ -1799,6 +1799,11 @@ resolve_func_type(const uint8 **p_buf, const uint8 *buf_end, WASMModule *module,
return false; return false;
} }
if (ref_type_map_count > 0) { if (ref_type_map_count > 0) {
if (ref_type_map_count > UINT16_MAX) {
set_error_buf(error_buf, error_buf_size,
"ref type count too large");
return false;
}
total_size = sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count; total_size = sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count;
if (!(type->ref_type_maps = if (!(type->ref_type_maps =
loader_malloc(total_size, error_buf, error_buf_size))) { loader_malloc(total_size, error_buf, error_buf_size))) {
@ -1938,6 +1943,11 @@ resolve_struct_type(const uint8 **p_buf, const uint8 *buf_end,
return false; return false;
} }
if (ref_type_map_count > 0) { if (ref_type_map_count > 0) {
if (ref_type_map_count > UINT16_MAX) {
set_error_buf(error_buf, error_buf_size,
"ref type count too large");
return false;
}
total_size = sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count; total_size = sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count;
if (!(type->ref_type_maps = if (!(type->ref_type_maps =
loader_malloc(total_size, error_buf, error_buf_size))) { loader_malloc(total_size, error_buf, error_buf_size))) {
@ -3957,6 +3967,11 @@ load_function_section(const uint8 *buf, const uint8 *buf_end,
} }
#if WASM_ENABLE_GC != 0 #if WASM_ENABLE_GC != 0
if (ref_type_map_count > 0) { if (ref_type_map_count > 0) {
if (ref_type_map_count > UINT16_MAX) {
set_error_buf(error_buf, error_buf_size,
"ref type count too large");
return false;
}
total_size = total_size =
sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count; sizeof(WASMRefTypeMap) * (uint64)ref_type_map_count;
if (!(func->local_ref_type_maps = loader_malloc( if (!(func->local_ref_type_maps = loader_malloc(