From 78e099b6abe632a6fc52b11c1e4e868cd137841b Mon Sep 17 00:00:00 2001
From: "liang.he" <liang.he@intel.com>
Date: Mon, 18 Apr 2022 19:55:31 +0800
Subject: [PATCH] Add more input checks for some wasm-c-api functions (#1090)

Protect wasm_valtype_new and wasm_tabletype_new from invalid inputs
---
 core/iwasm/common/wasm_c_api.c | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/core/iwasm/common/wasm_c_api.c b/core/iwasm/common/wasm_c_api.c
index 697beb7b..94f45e8c 100644
--- a/core/iwasm/common/wasm_c_api.c
+++ b/core/iwasm/common/wasm_c_api.c
@@ -186,6 +186,10 @@ failed:                                \
                                 const wasm_##name##_vec_t *src)             \
     {                                                                       \
         size_t i = 0;                                                       \
+                                                                            \
+        if (!out) {                                                         \
+            return;                                                         \
+        }                                                                   \
         memset(out, 0, sizeof(Vector));                                     \
                                                                             \
         if (!src || !src->size) {                                           \
@@ -467,6 +471,14 @@ wasm_valtype_new(wasm_valkind_t kind)
 {
     wasm_valtype_t *val_type;
 
+    if (kind > WASM_F64 && WASM_FUNCREF != kind
+#if WASM_ENABLE_REF_TYPES != 0
+        && WASM_ANYREF != kind
+#endif
+    ) {
+        return NULL;
+    }
+
     if (!(val_type = malloc_internal(sizeof(wasm_valtype_t)))) {
         return NULL;
     }
@@ -775,7 +787,15 @@ wasm_tabletype_new(own wasm_valtype_t *val_type, const wasm_limits_t *limits)
 {
     wasm_tabletype_t *table_type = NULL;
 
-    if (!val_type) {
+    if (!val_type || !limits) {
+        return NULL;
+    }
+
+    if (wasm_valtype_kind(val_type) != WASM_FUNCREF
+#if WASM_ENABLE_REF_TYPES != 0
+        && wasm_valtype_kind(val_type) != WASM_ANYREF
+#endif
+    ) {
         return NULL;
     }
 
@@ -1019,6 +1039,10 @@ wasm_importtype_new(own wasm_byte_vec_t *module_name,
 {
     wasm_importtype_t *import_type = NULL;
 
+    if (!module_name || !field_name || !extern_type) {
+        return NULL;
+    }
+
     if (!(import_type = malloc_internal(sizeof(wasm_importtype_t)))) {
         return NULL;
     }
@@ -1055,6 +1079,7 @@ wasm_importtype_delete(own wasm_importtype_t *import_type)
     DEINIT_VEC(import_type->module_name, wasm_byte_vec_delete);
     DEINIT_VEC(import_type->name, wasm_byte_vec_delete);
     wasm_externtype_delete(import_type->extern_type);
+    import_type->extern_type = NULL;
     wasm_runtime_free(import_type);
 }
 
@@ -1134,6 +1159,10 @@ wasm_exporttype_new(own wasm_byte_vec_t *name,
 {
     wasm_exporttype_t *export_type = NULL;
 
+    if (!name || !extern_type) {
+        return NULL;
+    }
+
     if (!(export_type = malloc_internal(sizeof(wasm_exporttype_t)))) {
         return NULL;
     }