diff --git a/core/iwasm/aot/aot_loader.c b/core/iwasm/aot/aot_loader.c index bb41a9e63..eedbf0672 100644 --- a/core/iwasm/aot/aot_loader.c +++ b/core/iwasm/aot/aot_loader.c @@ -90,7 +90,7 @@ static bool check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length, char *error_buf, uint32 error_buf_size) { - if (buf + length > buf_end) { + if (buf + length < buf || buf + length > buf_end) { set_error_buf(error_buf, error_buf_size, "unexpect end"); return false; } diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c index d3fbd47a2..286a7aa57 100644 --- a/core/iwasm/interpreter/wasm_loader.c +++ b/core/iwasm/interpreter/wasm_loader.c @@ -47,7 +47,7 @@ static bool check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length, char *error_buf, uint32 error_buf_size) { - if (buf + length > buf_end) { + if (buf + length < buf || buf + length > buf_end) { set_error_buf(error_buf, error_buf_size, "unexpected end of section or function"); return false; @@ -59,7 +59,7 @@ static bool check_buf1(const uint8 *buf, const uint8 *buf_end, uint32 length, char *error_buf, uint32 error_buf_size) { - if (buf + length > buf_end) { + if (buf + length < buf || buf + length > buf_end) { set_error_buf(error_buf, error_buf_size, "unexpected end"); return false; } @@ -1034,7 +1034,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end, bool linked_call_conv_raw = false; bool is_native_symbol = false; - CHECK_BUF(p, p_end, 1); read_leb_uint32(p, p_end, declare_type_index); *p_buf = p; @@ -3335,7 +3334,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list, } last_section_index = section_index; } - CHECK_BUF1(p, p_end, 1); read_leb_uint32(p, p_end, section_size); CHECK_BUF1(p, p_end, section_size); diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c index 10035f93f..0565188c3 100644 --- a/core/iwasm/interpreter/wasm_mini_loader.c +++ b/core/iwasm/interpreter/wasm_mini_loader.c @@ -25,14 +25,14 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string) string); } -#define CHECK_BUF(buf, buf_end, length) \ - do { \ - bh_assert(buf + length <= buf_end); \ +#define CHECK_BUF(buf, buf_end, length) \ + do { \ + bh_assert(buf + length >= buf && buf + length <= buf_end); \ } while (0) -#define CHECK_BUF1(buf, buf_end, length) \ - do { \ - bh_assert(buf + length <= buf_end); \ +#define CHECK_BUF1(buf, buf_end, length) \ + do { \ + bh_assert(buf + length >= buf && buf + length <= buf_end); \ } while (0) #define skip_leb(p) while (*p++ & 0x80) @@ -45,7 +45,7 @@ is_32bit_type(uint8 type) { if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 #if WASM_ENABLE_REF_TYPES != 0 - || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF) + || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF #endif ) return true; @@ -412,7 +412,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end, void *linked_attachment = NULL; bool linked_call_conv_raw = false; - CHECK_BUF(p, p_end, 1); read_leb_uint32(p, p_end, declare_type_index); *p_buf = p; @@ -2232,7 +2231,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list, || last_section_index < section_index); last_section_index = section_index; } - CHECK_BUF1(p, p_end, 1); read_leb_uint32(p, p_end, section_size); CHECK_BUF1(p, p_end, section_size);