mirror of
https://github.com/bytecodealliance/wasm-micro-runtime.git
synced 2025-05-09 05:06:17 +00:00
Fix issue of wasm/aot file malformed format (#853)
Fix possible integer overflow unchecked issue when checking wasm/aot file format.
This commit is contained in:
parent
8d1c56bda4
commit
212810bc2f
|
@ -90,7 +90,7 @@ static bool
|
|||
check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length,
|
||||
char *error_buf, uint32 error_buf_size)
|
||||
{
|
||||
if (buf + length > buf_end) {
|
||||
if (buf + length < buf || buf + length > buf_end) {
|
||||
set_error_buf(error_buf, error_buf_size, "unexpect end");
|
||||
return false;
|
||||
}
|
||||
|
|
|
@ -47,7 +47,7 @@ static bool
|
|||
check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length,
|
||||
char *error_buf, uint32 error_buf_size)
|
||||
{
|
||||
if (buf + length > buf_end) {
|
||||
if (buf + length < buf || buf + length > buf_end) {
|
||||
set_error_buf(error_buf, error_buf_size,
|
||||
"unexpected end of section or function");
|
||||
return false;
|
||||
|
@ -59,7 +59,7 @@ static bool
|
|||
check_buf1(const uint8 *buf, const uint8 *buf_end, uint32 length,
|
||||
char *error_buf, uint32 error_buf_size)
|
||||
{
|
||||
if (buf + length > buf_end) {
|
||||
if (buf + length < buf || buf + length > buf_end) {
|
||||
set_error_buf(error_buf, error_buf_size, "unexpected end");
|
||||
return false;
|
||||
}
|
||||
|
@ -1034,7 +1034,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end,
|
|||
bool linked_call_conv_raw = false;
|
||||
bool is_native_symbol = false;
|
||||
|
||||
CHECK_BUF(p, p_end, 1);
|
||||
read_leb_uint32(p, p_end, declare_type_index);
|
||||
*p_buf = p;
|
||||
|
||||
|
@ -3335,7 +3334,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list,
|
|||
}
|
||||
last_section_index = section_index;
|
||||
}
|
||||
CHECK_BUF1(p, p_end, 1);
|
||||
read_leb_uint32(p, p_end, section_size);
|
||||
CHECK_BUF1(p, p_end, section_size);
|
||||
|
||||
|
|
|
@ -25,14 +25,14 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string)
|
|||
string);
|
||||
}
|
||||
|
||||
#define CHECK_BUF(buf, buf_end, length) \
|
||||
do { \
|
||||
bh_assert(buf + length <= buf_end); \
|
||||
#define CHECK_BUF(buf, buf_end, length) \
|
||||
do { \
|
||||
bh_assert(buf + length >= buf && buf + length <= buf_end); \
|
||||
} while (0)
|
||||
|
||||
#define CHECK_BUF1(buf, buf_end, length) \
|
||||
do { \
|
||||
bh_assert(buf + length <= buf_end); \
|
||||
#define CHECK_BUF1(buf, buf_end, length) \
|
||||
do { \
|
||||
bh_assert(buf + length >= buf && buf + length <= buf_end); \
|
||||
} while (0)
|
||||
|
||||
#define skip_leb(p) while (*p++ & 0x80)
|
||||
|
@ -45,7 +45,7 @@ is_32bit_type(uint8 type)
|
|||
{
|
||||
if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
|
||||
#if WASM_ENABLE_REF_TYPES != 0
|
||||
|| type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF)
|
||||
|| type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
|
||||
#endif
|
||||
)
|
||||
return true;
|
||||
|
@ -412,7 +412,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end,
|
|||
void *linked_attachment = NULL;
|
||||
bool linked_call_conv_raw = false;
|
||||
|
||||
CHECK_BUF(p, p_end, 1);
|
||||
read_leb_uint32(p, p_end, declare_type_index);
|
||||
*p_buf = p;
|
||||
|
||||
|
@ -2232,7 +2231,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list,
|
|||
|| last_section_index < section_index);
|
||||
last_section_index = section_index;
|
||||
}
|
||||
CHECK_BUF1(p, p_end, 1);
|
||||
read_leb_uint32(p, p_end, section_size);
|
||||
CHECK_BUF1(p, p_end, section_size);
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user