From 0ecaf8c7da04086a490e3205371adc827cf53dfd Mon Sep 17 00:00:00 2001 From: Liu Jia Date: Thu, 23 Oct 2025 11:27:30 +0800 Subject: [PATCH] add validation of dynamic_offset (#4563) * add check_dynamic_offset_pop --- core/iwasm/interpreter/wasm_loader.c | 12 +++++++++++- core/iwasm/interpreter/wasm_mini_loader.c | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c index 5874931e0..1453f1bfa 100644 --- a/core/iwasm/interpreter/wasm_loader.c +++ b/core/iwasm/interpreter/wasm_loader.c @@ -8542,6 +8542,15 @@ check_offset_pop(WASMLoaderContext *ctx, uint32 cells) return true; } +static bool +check_dynamic_offset_pop(WASMLoaderContext *ctx, uint32 cells) +{ + if (ctx->dynamic_offset < 0 + || (ctx->dynamic_offset > 0 && (uint32)ctx->dynamic_offset < cells)) + return false; + return true; +} + static void free_label_patch_list(BranchBlock *frame_csp) { @@ -9980,7 +9989,8 @@ wasm_loader_pop_frame_offset(WASMLoaderContext *ctx, uint8 type, return true; ctx->frame_offset -= cell_num_to_pop; - if ((*(ctx->frame_offset) > ctx->start_dynamic_offset) + if (check_dynamic_offset_pop(ctx, cell_num_to_pop) + && (*(ctx->frame_offset) > ctx->start_dynamic_offset) && (*(ctx->frame_offset) < ctx->max_dynamic_offset)) ctx->dynamic_offset -= cell_num_to_pop; diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c index b9dcc9877..ec1e25cdb 100644 --- a/core/iwasm/interpreter/wasm_mini_loader.c +++ b/core/iwasm/interpreter/wasm_mini_loader.c @@ -4342,6 +4342,15 @@ check_offset_pop(WASMLoaderContext *ctx, uint32 cells) return true; } +static bool +check_dynamic_offset_pop(WASMLoaderContext *ctx, uint32 cells) +{ + if (ctx->dynamic_offset < 0 + || (ctx->dynamic_offset > 0 && (uint32)ctx->dynamic_offset < cells)) + return false; + return true; +} + static void free_label_patch_list(BranchBlock *frame_csp) { @@ -5256,7 +5265,8 @@ wasm_loader_pop_frame_offset(WASMLoaderContext *ctx, uint8 type, return true; ctx->frame_offset -= cell_num_to_pop; - if ((*(ctx->frame_offset) > ctx->start_dynamic_offset) + if (check_dynamic_offset_pop(ctx, cell_num_to_pop) + && (*(ctx->frame_offset) > ctx->start_dynamic_offset) && (*(ctx->frame_offset) < ctx->max_dynamic_offset)) ctx->dynamic_offset -= cell_num_to_pop;