Skip to content

Commit f6c257a

Browse files
kylo5abykylo5aby
committed
loader: add type index checking
1 parent 7471d5a commit f6c257a

1 file changed

Lines changed: 14 additions & 0 deletions

File tree

core/iwasm/aot/aot_loader.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1730,6 +1730,10 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
17301730
(void)u8;
17311731

17321732
read_uint32(buf, buf_end, j);
1733+
if (j >= module->type_count) {
1734+
set_error_buf(error_buf, error_buf_size, "invalid type index");
1735+
goto fail;
1736+
}
17331737
if (module->types[j]->ref_count == UINT16_MAX) {
17341738
set_error_buf(error_buf, error_buf_size,
17351739
"wasm type's ref count too large");
@@ -1993,6 +1997,11 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
19931997
AOTType *cur_type = module->types[j];
19941998
parent_type_idx = cur_type->parent_type_idx;
19951999
if (parent_type_idx != (uint32)-1) { /* has parent */
2000+
if (parent_type_idx >= module->type_count) {
2001+
set_error_buf(error_buf, error_buf_size,
2002+
"invalid parent type index");
2003+
goto fail;
2004+
}
19962005
AOTType *parent_type = module->types[parent_type_idx];
19972006

19982007
module->types[j]->parent_type = parent_type;
@@ -2015,6 +2024,11 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
20152024
for (j = i - rec_idx; j <= i; j++) {
20162025
AOTType *cur_type = module->types[j];
20172026
parent_type_idx = cur_type->parent_type_idx;
2027+
if (parent_type_idx >= module->type_count) {
2028+
set_error_buf(error_buf, error_buf_size,
2029+
"invalid parent type index");
2030+
goto fail;
2031+
}
20182032
if (parent_type_idx != (uint32)-1) { /* has parent */
20192033
AOTType *parent_type = module->types[parent_type_idx];
20202034
/* subtyping has been checked during compilation */

0 commit comments

Comments
 (0)