gnh1201/wasm-micro-runtime
1
0
Fork 0
mirror of https://github.com/bytecodealliance/wasm-micro-runtime.git synced 2025-05-09 21:26:21 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Fix loader push_pop_frame_ref_offset (#2590)

Browse Source 
`wasm_loader_push_pop_frame_offset` may pop n operands by using
`loader_ctx->stack_cell_num` to check whether the operand can be
popped or not. While `loader_ctx->stack_cell_num` is updated in the
later `wasm_loader_push_pop_frame_ref`, the check may fail if the stack
is in polymorphic state and lead to `ctx->frame_offset` underflow.

Fix issue #2577 and #2586.
This commit is contained in:
Wenyong Huang 2023-09-26 10:17:54 +08:00 committed by GitHub
parent b622622096
commit 6382162711
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
core/iwasm/interpreter/wasm_loader.c
View File

@ -5476,6 +5476,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf,
return true; return true;
} }
#if WASM_ENABLE_FAST_INTERP == 0
static bool static bool
wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt, wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt,
uint8 type_push, uint8 type_pop, char *error_buf, uint8 type_push, uint8 type_pop, char *error_buf,
@ -5490,6 +5491,7 @@ wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt,
return false; return false;
return true; return true;
} }
#endif
static bool static bool
wasm_loader_push_frame_csp(WASMLoaderContext *ctx, uint8 label_type, wasm_loader_push_frame_csp(WASMLoaderContext *ctx, uint8 label_type,
@ -6166,27 +6168,6 @@ wasm_loader_pop_frame_offset(WASMLoaderContext *ctx, uint8 type,
return true; return true;
} }
static bool
wasm_loader_push_pop_frame_offset(WASMLoaderContext *ctx, uint8 pop_cnt,
uint8 type_push, uint8 type_pop,
bool disable_emit, int16 operand_offset,
char *error_buf, uint32 error_buf_size)
{
uint8 i;
for (i = 0; i < pop_cnt; i++) {
if (!wasm_loader_pop_frame_offset(ctx, type_pop, error_buf,
error_buf_size))
return false;
}
if (!wasm_loader_push_frame_offset(ctx, type_push, disable_emit,
operand_offset, error_buf,
error_buf_size))
return false;
return true;
}
static bool static bool
wasm_loader_push_frame_ref_offset(WASMLoaderContext *ctx, uint8 type, wasm_loader_push_frame_ref_offset(WASMLoaderContext *ctx, uint8 type,
bool disable_emit, int16 operand_offset, bool disable_emit, int16 operand_offset,
@ -6220,12 +6201,24 @@ wasm_loader_push_pop_frame_ref_offset(WASMLoaderContext *ctx, uint8 pop_cnt,
bool disable_emit, int16 operand_offset, bool disable_emit, int16 operand_offset,
char *error_buf, uint32 error_buf_size) char *error_buf, uint32 error_buf_size)
{ {
if (!wasm_loader_push_pop_frame_offset(ctx, pop_cnt, type_push, type_pop, uint8 i;
disable_emit, operand_offset,
error_buf, error_buf_size)) for (i = 0; i < pop_cnt; i++) {
if (!wasm_loader_pop_frame_offset(ctx, type_pop, error_buf,
error_buf_size))
return false;
if (!wasm_loader_pop_frame_ref(ctx, type_pop, error_buf,
error_buf_size))
return false;
}
if (!wasm_loader_push_frame_offset(ctx, type_push, disable_emit,
operand_offset, error_buf,
error_buf_size))
return false; return false;
if (!wasm_loader_push_pop_frame_ref(ctx, pop_cnt, type_push, type_pop,
error_buf, error_buf_size)) if (!wasm_loader_push_frame_ref(ctx, type_push, error_buf, error_buf_size))
return false; return false;
return true; return true;

43
core/iwasm/interpreter/wasm_mini_loader.c
View File

@ -3937,6 +3937,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf,
return true; return true;
} }
#if WASM_ENABLE_FAST_INTERP == 0
static bool static bool
wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt, wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt,
uint8 type_push, uint8 type_pop, char *error_buf, uint8 type_push, uint8 type_pop, char *error_buf,
@ -3951,6 +3952,7 @@ wasm_loader_push_pop_frame_ref(WASMLoaderContext *ctx, uint8 pop_cnt,
return false; return false;
return true; return true;
} }
#endif
static bool static bool
wasm_loader_push_frame_csp(WASMLoaderContext *ctx, uint8 label_type, wasm_loader_push_frame_csp(WASMLoaderContext *ctx, uint8 label_type,
@ -4608,25 +4610,6 @@ wasm_loader_pop_frame_offset(WASMLoaderContext *ctx, uint8 type,
return true; return true;
} }
static bool
wasm_loader_push_pop_frame_offset(WASMLoaderContext *ctx, uint8 pop_cnt,
uint8 type_push, uint8 type_pop,
bool disable_emit, int16 operand_offset,
char *error_buf, uint32 error_buf_size)
{
for (int i = 0; i < pop_cnt; i++) {
if (!wasm_loader_pop_frame_offset(ctx, type_pop, error_buf,
error_buf_size))
return false;
}
if (!wasm_loader_push_frame_offset(ctx, type_push, disable_emit,
operand_offset, error_buf,
error_buf_size))
return false;
return true;
}
static bool static bool
wasm_loader_push_frame_ref_offset(WASMLoaderContext *ctx, uint8 type, wasm_loader_push_frame_ref_offset(WASMLoaderContext *ctx, uint8 type,
bool disable_emit, int16 operand_offset, bool disable_emit, int16 operand_offset,
@ -4660,12 +4643,24 @@ wasm_loader_push_pop_frame_ref_offset(WASMLoaderContext *ctx, uint8 pop_cnt,
bool disable_emit, int16 operand_offset, bool disable_emit, int16 operand_offset,
char *error_buf, uint32 error_buf_size) char *error_buf, uint32 error_buf_size)
{ {
if (!wasm_loader_push_pop_frame_offset(ctx, pop_cnt, type_push, type_pop, uint8 i;
disable_emit, operand_offset,
error_buf, error_buf_size)) for (i = 0; i < pop_cnt; i++) {
if (!wasm_loader_pop_frame_offset(ctx, type_pop, error_buf,
error_buf_size))
return false;
if (!wasm_loader_pop_frame_ref(ctx, type_pop, error_buf,
error_buf_size))
return false;
}
if (!wasm_loader_push_frame_offset(ctx, type_push, disable_emit,
operand_offset, error_buf,
error_buf_size))
return false; return false;
if (!wasm_loader_push_pop_frame_ref(ctx, pop_cnt, type_push, type_pop,
error_buf, error_buf_size)) if (!wasm_loader_push_frame_ref(ctx, type_push, error_buf, error_buf_size))
return false; return false;
return true; return true;