gnh1201/wasm-micro-runtime
1
0
Fork 0
mirror of https://github.com/bytecodealliance/wasm-micro-runtime.git synced 2025-05-09 05:06:17 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Fix issue of wasm/aot file malformed format (#853)

Browse Source 
Fix possible integer overflow unchecked issue when checking
wasm/aot file format.
This commit is contained in:
Javan 2021-11-30 20:47:42 +08:00 committed by GitHub
parent 8d1c56bda4
commit 212810bc2f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/iwasm/aot/aot_loader.c
View File

@ -90,7 +90,7 @@ static bool
check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length,
char *error_buf, uint32 error_buf_size)
{
if (buf + length > buf_end) {
if (buf + length < buf || buf + length > buf_end) {
set_error_buf(error_buf, error_buf_size, "unexpect end");
return false;
}

6
core/iwasm/interpreter/wasm_loader.c
View File

@ -47,7 +47,7 @@ static bool
check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length,
char *error_buf, uint32 error_buf_size)
{
if (buf + length > buf_end) {
if (buf + length < buf || buf + length > buf_end) {
set_error_buf(error_buf, error_buf_size,
"unexpected end of section or function");
return false;
@ -59,7 +59,7 @@ static bool
check_buf1(const uint8 *buf, const uint8 *buf_end, uint32 length,
char *error_buf, uint32 error_buf_size)
{
if (buf + length > buf_end) {
if (buf + length < buf || buf + length > buf_end) {
set_error_buf(error_buf, error_buf_size, "unexpected end");
return false;
}
@ -1034,7 +1034,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end,
bool linked_call_conv_raw = false;
bool is_native_symbol = false;
CHECK_BUF(p, p_end, 1);
read_leb_uint32(p, p_end, declare_type_index);
*p_buf = p;
@ -3335,7 +3334,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list,
}
last_section_index = section_index;
}
CHECK_BUF1(p, p_end, 1);
read_leb_uint32(p, p_end, section_size);
CHECK_BUF1(p, p_end, section_size);

16
core/iwasm/interpreter/wasm_mini_loader.c
View File

@ -25,14 +25,14 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string)
string);
}
#define CHECK_BUF(buf, buf_end, length) \
do { \
bh_assert(buf + length <= buf_end); \
#define CHECK_BUF(buf, buf_end, length) \
do { \
bh_assert(buf + length >= buf && buf + length <= buf_end); \
} while (0)
#define CHECK_BUF1(buf, buf_end, length) \
do { \
bh_assert(buf + length <= buf_end); \
#define CHECK_BUF1(buf, buf_end, length) \
do { \
bh_assert(buf + length >= buf && buf + length <= buf_end); \
} while (0)
#define skip_leb(p) while (*p++ & 0x80)
@ -45,7 +45,7 @@ is_32bit_type(uint8 type)
{
if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
#if WASM_ENABLE_REF_TYPES != 0
|| type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF)
|| type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
#endif
)
return true;
@ -412,7 +412,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end,
void *linked_attachment = NULL;
bool linked_call_conv_raw = false;
CHECK_BUF(p, p_end, 1);
read_leb_uint32(p, p_end, declare_type_index);
*p_buf = p;
@ -2232,7 +2231,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list,
|| last_section_index < section_index);
last_section_index = section_index;
}
CHECK_BUF1(p, p_end, 1);
read_leb_uint32(p, p_end, section_size);
CHECK_BUF1(p, p_end, section_size);