From 55ad4c7ec73da7f90d697d0d6ce67f083571b121 Mon Sep 17 00:00:00 2001 From: Wenyong Huang Date: Thu, 24 Feb 2022 09:36:46 +0800 Subject: [PATCH] Fix wasm-c-api wasm_module_imports issues (#1021) Fix several issues in wasm-c-api wasm_module_imports function: 1. Two of the if branches never set the module_name and name fields which are later passed as arguments to wasm_importtype_new, and eventually might cause double-free and/or use-after-free 2. Should zero module_name/name/extern_type at the start of loop iteration, and destroy their resources when failed at the end of loop iteration 2. No need to check `if (!extern_type) { continue; }`, as extern_type is converted from type and type is already checked 3. No need to wasm_importtype_vec_delete(out) when failed, as it is passed from outside and should be destroyed by outside --- core/iwasm/common/wasm_c_api.c | 55 ++++++++++++++-------------------- 1 file changed, 23 insertions(+), 32 deletions(-) diff --git a/core/iwasm/common/wasm_c_api.c b/core/iwasm/common/wasm_c_api.c index 660cdaf05..b19cf75f0 100644 --- a/core/iwasm/common/wasm_c_api.c +++ b/core/iwasm/common/wasm_c_api.c @@ -1947,6 +1947,10 @@ wasm_module_imports(const wasm_module_t *module, own wasm_importtype_vec_t *out) for (i = 0; i != import_count; ++i) { char *module_name_rt = NULL, *field_name_rt = NULL; + memset(&module_name, 0, sizeof(wasm_val_vec_t)); + memset(&name, 0, sizeof(wasm_val_vec_t)); + extern_type = NULL; + if (i < import_func_count) { wasm_functype_t *type = NULL; WASMType *type_rt = NULL; @@ -1974,16 +1978,6 @@ wasm_module_imports(const wasm_module_t *module, own wasm_importtype_vec_t *out) continue; } - wasm_name_new_from_string(&module_name, module_name_rt); - if (strlen(module_name_rt) && !module_name.data) { - goto failed; - } - - wasm_name_new_from_string(&name, field_name_rt); - if (strlen(field_name_rt) && !name.data) { - goto failed; - } - if (!(type = wasm_functype_new_internal(type_rt))) { goto failed; } @@ -2061,16 +2055,6 @@ wasm_module_imports(const wasm_module_t *module, own wasm_importtype_vec_t *out) continue; } - wasm_name_new_from_string(&module_name, module_name_rt); - if (strlen(module_name_rt) && !module_name.data) { - goto failed; - } - - wasm_name_new_from_string(&name, field_name_rt); - if (strlen(field_name_rt) && !name.data) { - goto failed; - } - if (!(type = wasm_memorytype_new_internal(min_page, max_page))) { goto failed; } @@ -2122,8 +2106,16 @@ wasm_module_imports(const wasm_module_t *module, own wasm_importtype_vec_t *out) extern_type = wasm_tabletype_as_externtype(type); } - if (!extern_type) { - continue; + bh_assert(extern_type); + + wasm_name_new_from_string(&module_name, module_name_rt); + if (strlen(module_name_rt) && !module_name.data) { + goto failed; + } + + wasm_name_new_from_string(&name, field_name_rt); + if (strlen(field_name_rt) && !name.data) { + goto failed; } if (!(import_type = @@ -2134,17 +2126,16 @@ wasm_module_imports(const wasm_module_t *module, own wasm_importtype_vec_t *out) if (!bh_vector_append((Vector *)out, &import_type)) { goto failed_importtype_new; } + + continue; + + failed: + wasm_byte_vec_delete(&module_name); + wasm_byte_vec_delete(&name); + wasm_externtype_delete(extern_type); + failed_importtype_new: + wasm_importtype_delete(import_type); } - - return; - -failed: - wasm_byte_vec_delete(&module_name); - wasm_byte_vec_delete(&name); - wasm_externtype_delete(extern_type); -failed_importtype_new: - wasm_importtype_delete(import_type); - wasm_importtype_vec_delete(out); } void