Fix some issues reported by CodeQL (#3064)

Refer to https://github.com/bytecodealliance/wasm-micro-runtime/pull/2812 and https://github.com/bytecodealliance/wasm-micro-runtime/security/code-scanning?query=pr%3A2812+is%3Aopen
2025-10-31 05:11:19 +00:00 · 2024-01-23 21:38:30 +08:00 · 2024-01-23 21:38:30 +08:00 · 9f64340529
commit 9f64340529
parent ab97d543e0
9 changed files with 20 additions and 17 deletions
--- a/core/iwasm/aot/aot_loader.c
+++ b/core/iwasm/aot/aot_loader.c
@ -3134,8 +3134,7 @@ resolve_execute_mode(const uint8 *buf, uint32 size, bool *p_mode,
    p += 8;
    while (p < p_end) {
        read_uint32(p, p_end, section_type);
-        if (section_type <= AOT_SECTION_TYPE_SIGANATURE
-            || section_type == AOT_SECTION_TYPE_TARGET_INFO) {
+        if (section_type <= AOT_SECTION_TYPE_SIGANATURE) {
            read_uint32(p, p_end, section_size);
            CHECK_BUF(p, p_end, section_size);
            if (section_type == AOT_SECTION_TYPE_TARGET_INFO) {
@ -3150,7 +3149,7 @@ resolve_execute_mode(const uint8 *buf, uint32 size, bool *p_mode,
                break;
            }
        }
-        else if (section_type > AOT_SECTION_TYPE_SIGANATURE) {
+        else { /* section_type > AOT_SECTION_TYPE_SIGANATURE */
            set_error_buf(error_buf, error_buf_size,
                          "resolve execute mode failed");
            break;
--- a/core/iwasm/common/wasm_c_api.c
+++ b/core/iwasm/common/wasm_c_api.c
@ -2294,7 +2294,7 @@ wasm_module_new(wasm_store_t *store, const wasm_byte_vec_t *binary)
        (uint8 *)module_ex->binary->data, (uint32)module_ex->binary->size,
        error_buf, (uint32)sizeof(error_buf));
    if (!(module_ex->module_comm_rt)) {
-        LOG_ERROR(error_buf);
+        LOG_ERROR("%s", error_buf);
        goto free_vec;
    }

@ -2367,7 +2367,7 @@ wasm_module_validate(wasm_store_t *store, const wasm_byte_vec_t *binary)
    }
    else {
        ret = false;
-        LOG_VERBOSE(error_buf);
+        LOG_VERBOSE("%s", error_buf);
    }

    return ret;
@ -3359,7 +3359,7 @@ wasm_func_call(const wasm_func_t *func, const wasm_val_vec_t *params,
    wasm_runtime_set_exception(func->inst_comm_rt, NULL);
    if (!wasm_runtime_call_wasm(exec_env, func_comm_rt, argc, argv)) {
        if (wasm_runtime_get_exception(func->inst_comm_rt)) {
-            LOG_DEBUG(wasm_runtime_get_exception(func->inst_comm_rt));
+            LOG_DEBUG("%s", wasm_runtime_get_exception(func->inst_comm_rt));
            goto failed;
        }
    }
@ -5044,7 +5044,7 @@ failed:
        *trap = wasm_trap_new(store, &message);
        wasm_byte_vec_delete(&message);
    }
-    LOG_DEBUG(error_buf);
+    LOG_DEBUG("%s", error_buf);
    wasm_instance_delete_internal(instance);
    return NULL;
 }
--- a/core/iwasm/common/wasm_native.c
+++ b/core/iwasm/common/wasm_native.c
@ -194,7 +194,7 @@ wasm_native_resolve_symbol(const char *module_name, const char *field_name,
 {
    NativeSymbolsNode *node, *node_next;
    const char *signature = NULL;
-    void *func_ptr = NULL, *attachment;
+    void *func_ptr = NULL, *attachment = NULL;

    node = g_native_symbols_list;
    while (node) {
--- a/core/iwasm/common/wasm_runtime_common.c
+++ b/core/iwasm/common/wasm_runtime_common.c
@ -2905,7 +2905,8 @@ copy_string_array(const char *array[], uint32 array_size, char **buf_ptr,
    /* We add +1 to generate null-terminated array of strings */
    total_size = sizeof(char *) * ((uint64)array_size + 1);
    if (total_size >= UINT32_MAX
-        || (total_size > 0 && !(list = wasm_runtime_malloc((uint32)total_size)))
+        /* total_size must be larger than 0, don' check it again */
+        || !(list = wasm_runtime_malloc((uint32)total_size))
        || buf_size >= UINT32_MAX
        || (buf_size > 0 && !(buf = wasm_runtime_malloc((uint32)buf_size)))) {

--- a/core/iwasm/interpreter/wasm_loader.c
+++ b/core/iwasm/interpreter/wasm_loader.c
@ -327,7 +327,7 @@ check_utf8_str(const uint8 *str, uint32 len)
                    return false;
                }
            }
-            else if (chr >= 0xE1 && chr <= 0xEF) {
+            else { /* chr >= 0xE1 && chr <= 0xEF */
                if (p[1] < 0x80 || p[1] > 0xBF || p[2] < 0x80 || p[2] > 0xBF) {
                    return false;
                }
@ -341,13 +341,13 @@ check_utf8_str(const uint8 *str, uint32 len)
                    return false;
                }
            }
-            else if (chr >= 0xF1 && chr <= 0xF3) {
+            else if (chr <= 0xF3) { /* and also chr >= 0xF1 */
                if (p[1] < 0x80 || p[1] > 0xBF || p[2] < 0x80 || p[2] > 0xBF
                    || p[3] < 0x80 || p[3] > 0xBF) {
                    return false;
                }
            }
-            else if (chr == 0xF4) {
+            else { /* chr == 0xF4 */
                if (p[1] < 0x80 || p[1] > 0x8F || p[2] < 0x80 || p[2] > 0xBF
                    || p[3] < 0x80 || p[3] > 0xBF) {
                    return false;
--- a/core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c
+++ b/core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c
@ -2013,7 +2013,8 @@ copy_buffer_to_iovec_app(wasm_module_inst_t module_inst, uint8 *buf_begin,
        }

        if (buf >= buf_begin + buf_size
-            || buf + data->buf_len < buf /* integer overflow */
+            /* integer overflow */
+            || data->buf_len > UINTPTR_MAX - (uintptr_t)buf
            || buf + data->buf_len > buf_begin + buf_size
            || size_to_copy == 0) {
            break;
--- a/core/iwasm/libraries/thread-mgr/thread_manager.c
+++ b/core/iwasm/libraries/thread-mgr/thread_manager.c
@ -787,7 +787,7 @@ wasm_cluster_dup_c_api_imports(WASMModuleInstanceCommon *module_inst_dst,
 {
    /* workaround about passing instantiate-linking information */
    CApiFuncImport **new_c_api_func_imports = NULL;
-    CApiFuncImport *c_api_func_imports;
+    CApiFuncImport *c_api_func_imports = NULL;
    uint32 import_func_count = 0;
    uint32 size_in_bytes = 0;

--- a/core/shared/platform/common/posix/posix_socket.c
+++ b/core/shared/platform/common/posix/posix_socket.c
@ -884,7 +884,7 @@ os_socket_set_ip_ttl(bh_socket_t socket, uint8_t ttl_s)
 int
 os_socket_get_ip_ttl(bh_socket_t socket, uint8_t *ttl_s)
 {
-    socklen_t opt_len = sizeof(ttl_s);
+    socklen_t opt_len = sizeof(*ttl_s);
    if (getsockopt(socket, IPPROTO_IP, IP_TTL, ttl_s, &opt_len) != 0) {
        return BHT_ERROR;
    }
@ -906,7 +906,7 @@ os_socket_set_ip_multicast_ttl(bh_socket_t socket, uint8_t ttl_s)
 int
 os_socket_get_ip_multicast_ttl(bh_socket_t socket, uint8_t *ttl_s)
 {
-    socklen_t opt_len = sizeof(ttl_s);
+    socklen_t opt_len = sizeof(*ttl_s);
    if (getsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, ttl_s, &opt_len)
        != 0) {
        return BHT_ERROR;
--- a/core/shared/utils/bh_hashmap.c
+++ b/core/shared/utils/bh_hashmap.c
@ -51,7 +51,9 @@ bh_hash_map_create(uint32 size, bool use_lock, HashFunc hash_func,
                 + sizeof(HashMapElem *) * (uint64)size
                 + (use_lock ? sizeof(korp_mutex) : 0);

-    if (total_size >= UINT32_MAX || !(map = BH_MALLOC((uint32)total_size))) {
+    /* size <= HASH_MAP_MAX_SIZE, so total_size won't be larger than
+       UINT32_MAX, no need to check integer overflow */
+    if (!(map = BH_MALLOC((uint32)total_size))) {
        LOG_ERROR("HashMap create failed: alloc memory failed.\n");
        return NULL;
    }