From 62aca1727908848c194dfe52c7d62397f5df8441 Mon Sep 17 00:00:00 2001
From: TianlongLiang <111852609+TianlongLiang@users.noreply.github.com>
Date: Fri, 22 Nov 2024 16:01:24 +0800
Subject: [PATCH] Check possible integer overflow in aot memory boundary check
 (#3920)

Check possible integer overflow in aot memory boundary check when
the wasm memory is 64-bit.
---
 core/iwasm/compilation/aot_emit_memory.c | 38 ++++++++++++++++++++----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/core/iwasm/compilation/aot_emit_memory.c b/core/iwasm/compilation/aot_emit_memory.c
index 869a1dbb2..9adf96ac5 100644
--- a/core/iwasm/compilation/aot_emit_memory.c
+++ b/core/iwasm/compilation/aot_emit_memory.c
@@ -273,10 +273,24 @@ aot_check_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx,
     }
 
     /* offset1 = offset + addr; */
-    /* TODO: check whether integer overflow occurs when memory is 64-bit
-             and boundary check is enabled */
     BUILD_OP(Add, offset_const, addr, offset1, "offset1");
 
+    if (is_memory64 && comp_ctx->enable_bound_check) {
+        /* Check whether integer overflow occurs in offset + addr */
+        LLVMBasicBlockRef check_integer_overflow_end;
+        ADD_BASIC_BLOCK(check_integer_overflow_end,
+                        "check_integer_overflow_end");
+        LLVMMoveBasicBlockAfter(check_integer_overflow_end, block_curr);
+
+        BUILD_ICMP(LLVMIntULT, offset1, offset_const, cmp1, "cmp1");
+        if (!aot_emit_exception(comp_ctx, func_ctx,
+                                EXCE_OUT_OF_BOUNDS_MEMORY_ACCESS, true, cmp1,
+                                check_integer_overflow_end)) {
+            goto fail;
+        }
+        SET_BUILD_POS(check_integer_overflow_end);
+    }
+
     if (comp_ctx->enable_shared_heap /* TODO: && mem_idx == 0 */) {
         LLVMBasicBlockRef app_addr_in_shared_heap, app_addr_in_linear_mem;
         LLVMValueRef is_in_shared_heap, shared_heap_check_bound = NULL;
@@ -303,7 +317,7 @@ aot_check_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx,
         LLVMPositionBuilderAtEnd(comp_ctx->builder, block_curr);
 
         if (!is_target_64bit) {
-            /* Check whether interger overflow occurs in addr + offset */
+            /* Check whether integer overflow occurs in addr + offset */
             LLVMBasicBlockRef check_integer_overflow_end;
             ADD_BASIC_BLOCK(check_integer_overflow_end,
                             "check_integer_overflow_end");
@@ -1215,10 +1229,24 @@ check_bulk_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx,
         goto fail;
     }
 
-    /* TODO: check whether integer overflow occurs when memory is 64-bit
-             and boundary check is enabled */
     BUILD_OP(Add, offset, bytes, max_addr, "max_addr");
 
+    if (is_memory64 && comp_ctx->enable_bound_check) {
+        /* Check whether integer overflow occurs in offset + addr */
+        LLVMBasicBlockRef check_integer_overflow_end;
+        ADD_BASIC_BLOCK(check_integer_overflow_end,
+                        "check_integer_overflow_end");
+        LLVMMoveBasicBlockAfter(check_integer_overflow_end, block_curr);
+
+        BUILD_ICMP(LLVMIntULT, max_addr, offset, cmp, "cmp");
+        if (!aot_emit_exception(comp_ctx, func_ctx,
+                                EXCE_OUT_OF_BOUNDS_MEMORY_ACCESS, true, cmp,
+                                check_integer_overflow_end)) {
+            goto fail;
+        }
+        SET_BUILD_POS(check_integer_overflow_end);
+    }
+
     if (comp_ctx->enable_shared_heap /* TODO: && mem_idx == 0 */) {
         LLVMBasicBlockRef app_addr_in_shared_heap, app_addr_in_linear_mem;
         LLVMValueRef shared_heap_start_off, shared_heap_check_bound;