From 23df0d4e554fa5509ece98093b0ee282c55652f0 Mon Sep 17 00:00:00 2001
From: Zhenwei Jin <109658203+kylo5aby@users.noreply.github.com>
Date: Tue, 20 Jan 2026 08:53:11 +0800
Subject: [PATCH] fix: correct boundary check in dynamic_offset check (#4788)

correct boundary check in check_dynamic_offset_pop when dynamic_offset is 0. When dynamic_offset = 0, check_dynamic_offset_pop will always return true, which may wrongly update dynamic_offset.
also include a typo fix in SET_OPERAND_REF

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>
---
 core/iwasm/interpreter/wasm_interp_fast.c | 2 +-
 core/iwasm/interpreter/wasm_loader.c      | 3 +--
 core/iwasm/interpreter/wasm_mini_loader.c | 3 +--
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/core/iwasm/interpreter/wasm_interp_fast.c b/core/iwasm/interpreter/wasm_interp_fast.c
index fec9734ed..52e9379e4 100644
--- a/core/iwasm/interpreter/wasm_interp_fast.c
+++ b/core/iwasm/interpreter/wasm_interp_fast.c
@@ -442,7 +442,7 @@ wasm_interp_get_frame_ref(WASMInterpFrame *frame)
         opnd_off = *(int16 *)(frame_ip + off); \
         addr_tmp = frame_lp + opnd_off;        \
         PUT_REF_TO_ADDR(addr_tmp, value);      \
-        SET_FRAME_REF(ond_off);                \
+        SET_FRAME_REF(opnd_off);               \
     } while (0)
 
 #define SET_OPERAND(op_type, off, value) SET_OPERAND_##op_type(off, value)
diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
index 7280201fb..456964cd1 100644
--- a/core/iwasm/interpreter/wasm_loader.c
+++ b/core/iwasm/interpreter/wasm_loader.c
@@ -8545,8 +8545,7 @@ check_offset_pop(WASMLoaderContext *ctx, uint32 cells)
 static bool
 check_dynamic_offset_pop(WASMLoaderContext *ctx, uint32 cells)
 {
-    if (ctx->dynamic_offset < 0
-        || (ctx->dynamic_offset > 0 && (uint32)ctx->dynamic_offset < cells))
+    if (ctx->dynamic_offset < 0 || (uint32)ctx->dynamic_offset < cells)
         return false;
     return true;
 }
diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c
index ec1e25cdb..0ac120263 100644
--- a/core/iwasm/interpreter/wasm_mini_loader.c
+++ b/core/iwasm/interpreter/wasm_mini_loader.c
@@ -4345,8 +4345,7 @@ check_offset_pop(WASMLoaderContext *ctx, uint32 cells)
 static bool
 check_dynamic_offset_pop(WASMLoaderContext *ctx, uint32 cells)
 {
-    if (ctx->dynamic_offset < 0
-        || (ctx->dynamic_offset > 0 && (uint32)ctx->dynamic_offset < cells))
+    if (ctx->dynamic_offset < 0 || (uint32)ctx->dynamic_offset < cells)
         return false;
     return true;
 }