@@ -2033,28 +2033,32 @@ load_type_section(const uint8 *buf, const uint8 *buf_end, WASMModule *module,
20332033 if (flag == DEFINED_TYPE_REC) {
20342034 read_leb_uint32(p, p_end, rec_count);
20352035
2036- if (rec_count > 1) {
2037- uint64 new_total_size;
2036+ if (rec_count <= 1) {
2037+ set_error_buf(
2038+ error_buf, error_buf_size,
2039+ "recursive type count should be greater than 1");
2040+ return false;
2041+ }
20382042
2039- /* integer overflow */
2040- if (rec_count - 1 > UINT32_MAX - module->type_count) {
2041- set_error_buf(error_buf, error_buf_size,
2042- "recursive type count too large");
2043- return false;
2044- }
2045- new_total_size =
2046- sizeof(WASMFuncType *)
2047- * (uint64)(module->type_count + rec_count - 1);
2048- if (new_total_size > UINT32_MAX) {
2049- set_error_buf(error_buf, error_buf_size,
2050- "allocate memory failed");
2051- return false;
2052- }
2053- MEM_REALLOC(module->types, (uint32)total_size,
2054- (uint32)new_total_size);
2055- module->type_count += rec_count - 1;
2056- total_size = new_total_size;
2043+ uint64 new_total_size;
2044+
2045+ /* integer overflow */
2046+ if (rec_count - 1 > UINT32_MAX - module->type_count) {
2047+ set_error_buf(error_buf, error_buf_size,
2048+ "recursive type count too large");
2049+ return false;
2050+ }
2051+ new_total_size = sizeof(WASMFuncType *)
2052+ * (uint64)(module->type_count + rec_count - 1);
2053+ if (new_total_size > UINT32_MAX) {
2054+ set_error_buf(error_buf, error_buf_size,
2055+ "allocate memory failed");
2056+ return false;
20572057 }
2058+ MEM_REALLOC(module->types, (uint32)total_size,
2059+ (uint32)new_total_size);
2060+ module->type_count += rec_count - 1;
2061+ total_size = new_total_size;
20582062
20592063 LOG_VERBOSE("Processing rec group [%d-%d]",
20602064 processed_type_count,
0 commit comments