From 7bbdbf521275ce1f93db3d05eaba9bce1292a08f Mon Sep 17 00:00:00 2001
From: Liu Jia <jia3.liu@intel.com>
Date: Tue, 17 Jun 2025 11:01:38 +0800
Subject: [PATCH] add validation for array type in load_init_expr(GC only)
 (#4370)

---
 core/iwasm/aot/aot_loader.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/iwasm/aot/aot_loader.c b/core/iwasm/aot/aot_loader.c
index 84bdd0dda..f274471f3 100644
--- a/core/iwasm/aot/aot_loader.c
+++ b/core/iwasm/aot/aot_loader.c
@@ -1309,6 +1309,13 @@ load_init_expr(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
             read_uint32(buf, buf_end, type_idx);
             read_uint32(buf, buf_end, length);
 
+            if (type_idx >= module->type_count
+                || !wasm_type_is_array_type(module->types[type_idx])) {
+                set_error_buf(error_buf, error_buf_size,
+                              "invalid or non-array type index.");
+                goto fail;
+            }
+
             if (init_expr_type == INIT_EXPR_TYPE_ARRAY_NEW_DEFAULT) {
                 expr->u.array_new_default.type_index = type_idx;
                 expr->u.array_new_default.length = length;