From 4b547907ff4485891103d85ec5fc17ce4faddc09 Mon Sep 17 00:00:00 2001
From: Jia Liu <jia3.liu@intel.com>
Date: Mon, 16 Jun 2025 16:38:22 +0800
Subject: [PATCH] add validation for array type in load_init_expr(GC only)

---
 core/iwasm/aot/aot_loader.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/iwasm/aot/aot_loader.c b/core/iwasm/aot/aot_loader.c
index 84bdd0dda3..f274471f35 100644
--- a/core/iwasm/aot/aot_loader.c
+++ b/core/iwasm/aot/aot_loader.c
@@ -1309,6 +1309,13 @@ load_init_expr(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
             read_uint32(buf, buf_end, type_idx);
             read_uint32(buf, buf_end, length);
 
+            if (type_idx >= module->type_count
+                || !wasm_type_is_array_type(module->types[type_idx])) {
+                set_error_buf(error_buf, error_buf_size,
+                              "invalid or non-array type index.");
+                goto fail;
+            }
+
             if (init_expr_type == INIT_EXPR_TYPE_ARRAY_NEW_DEFAULT) {
                 expr->u.array_new_default.type_index = type_idx;
                 expr->u.array_new_default.length = length;