Fix off-by-one in aot_alloc_tiny_frame overflow check (#4845)

sumleo · web-flow · commit 595dcd564f63 · 2026-03-03T13:48:42.000+08:00
* Fix off-by-one in aot_alloc_tiny_frame overflow check

The boundary check in aot_alloc_tiny_frame only verifies that
new_frame itself doesn't exceed top_boundary, but doesn't account
for the sizeof(AOTTinyFrame) bytes that are about to be written.
When new_frame equals top_boundary exactly, the check passes but
the subsequent write to new_frame-&gt;func_index goes past the
boundary. This matches the correct pattern used in
aot_alloc_frame (line 4086) which includes the frame size.
diff --git a/core/iwasm/aot/aot_runtime.c b/core/iwasm/aot/aot_runtime.c
@@ -4176,7 +4176,8 @@ aot_alloc_tiny_frame(WASMExecEnv *exec_env, uint32 func_index)
 {
     AOTTinyFrame *new_frame = (AOTTinyFrame *)exec_env->wasm_stack.top;
 
-    if ((uint8 *)new_frame > exec_env->wasm_stack.top_boundary) {
+    if ((uint8 *)new_frame + sizeof(AOTTinyFrame)
+        > exec_env->wasm_stack.top_boundary) {
         aot_set_exception((WASMModuleInstance *)exec_env->module_inst,
                           "wasm operand stack overflow");
         return false;

Original file line number	Diff line number	Diff line change
`@@ -4176,7 +4176,8 @@ aot_alloc_tiny_frame(WASMExecEnv *exec_env, uint32 func_index)`
`4176`	`4176`	`{`
`4177`	`4177`	`AOTTinyFrame new_frame = (AOTTinyFrame )exec_env->wasm_stack.top;`
`4178`	`4178`
`4179`		`- if ((uint8 *)new_frame > exec_env->wasm_stack.top_boundary) {`
	`4179`	`+ if ((uint8 *)new_frame + sizeof(AOTTinyFrame)`
	`4180`	`+ > exec_env->wasm_stack.top_boundary) {`
`4180`	`4181`	`aot_set_exception((WASMModuleInstance *)exec_env->module_inst,`
`4181`	`4182`	`"wasm operand stack overflow");`
`4182`	`4183`	`return false;`