Fix off-by-one in aot_alloc_tiny_frame overflow check

sumleo · sumleo · commit 0c10c8443697 · 2026-02-25T23:03:59.000+08:00
The boundary check in aot_alloc_tiny_frame only verifies that
new_frame itself doesn't exceed top_boundary, but doesn't account
for the sizeof(AOTTinyFrame) bytes that are about to be written.
When new_frame equals top_boundary exactly, the check passes but
the subsequent write to new_frame-&gt;func_index goes past the
boundary. This matches the correct pattern used in
aot_alloc_frame (line 4086) which includes the frame size.
diff --git a/core/iwasm/aot/aot_runtime.c b/core/iwasm/aot/aot_runtime.c
@@ -4176,7 +4176,7 @@ aot_alloc_tiny_frame(WASMExecEnv *exec_env, uint32 func_index)
 {
     AOTTinyFrame *new_frame = (AOTTinyFrame *)exec_env->wasm_stack.top;
 
-    if ((uint8 *)new_frame > exec_env->wasm_stack.top_boundary) {
+    if ((uint8 *)new_frame + sizeof(AOTTinyFrame) > exec_env->wasm_stack.top_boundary) {
         aot_set_exception((WASMModuleInstance *)exec_env->module_inst,
                           "wasm operand stack overflow");
         return false;

Original file line number	Diff line number	Diff line change
`@@ -4176,7 +4176,7 @@ aot_alloc_tiny_frame(WASMExecEnv *exec_env, uint32 func_index)`
`4176`	`4176`	`{`
`4177`	`4177`	`AOTTinyFrame new_frame = (AOTTinyFrame )exec_env->wasm_stack.top;`
`4178`	`4178`
`4179`		`- if ((uint8 *)new_frame > exec_env->wasm_stack.top_boundary) {`
	`4179`	`+ if ((uint8 *)new_frame + sizeof(AOTTinyFrame) > exec_env->wasm_stack.top_boundary) {`
`4180`	`4180`	`aot_set_exception((WASMModuleInstance *)exec_env->module_inst,`
`4181`	`4181`	`"wasm operand stack overflow");`
`4182`	`4182`	`return false;`