Enhance wasm loader checks for opcode br_table (#3352)

Fix the integer overflow issue when checking target branch depth in opcode
br_table, and fix is_32bit_type not check VALUE_TYPE_ANY issue, which may
cause wasm_loader_push_frame_offset push extra unneeded offset.
This commit is contained in:
Wenyong Huang
2024-04-25 20:07:57 +08:00
committed by GitHub
parent a36c7d5aa9
commit e44465d259
2 changed files with 34 additions and 27 deletions

View File

@ -293,7 +293,10 @@ type2str(uint8 type)
static bool
is_32bit_type(uint8 type)
{
if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
if (type == VALUE_TYPE_I32
|| type == VALUE_TYPE_F32
/* the operand stack is in polymorphic state */
|| type == VALUE_TYPE_ANY
#if WASM_ENABLE_GC != 0
|| (sizeof(uintptr_t) == 4 && wasm_is_type_reftype(type))
#elif WASM_ENABLE_REF_TYPES != 0
@ -11533,16 +11536,17 @@ re_scan:
#endif
POP_I32();
/* Get the default depth and check it */
/* Get each depth and check it */
p_org = p;
for (i = 0; i <= count; i++) {
read_leb_uint32(p, p_end, depth);
}
if (loader_ctx->csp_num < depth + 1) {
set_error_buf(error_buf, error_buf_size,
"unknown label, "
"unexpected end of section or function");
goto fail;
bh_assert(loader_ctx->csp_num > 0);
if (loader_ctx->csp_num - 1 < depth) {
set_error_buf(error_buf, error_buf_size,
"unknown label, "
"unexpected end of section or function");
goto fail;
}
}
p = p_org;
@ -11558,12 +11562,6 @@ re_scan:
for (i = 0; i <= count; i++) {
p_org = p;
read_leb_uint32(p, p_end, depth);
if (loader_ctx->csp_num < depth + 1) {
set_error_buf(error_buf, error_buf_size,
"unknown label, "
"unexpected end of section or function");
goto fail;
}
p = p_org;
/* Get the target block's arity and check it */
@ -11965,8 +11963,7 @@ re_scan:
loader_ctx->reftype_map_num--;
}
#endif
if (is_32bit_type(*(loader_ctx->frame_ref - 1))
|| *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) {
if (is_32bit_type(*(loader_ctx->frame_ref - 1))) {
loader_ctx->frame_ref--;
loader_ctx->stack_cell_num--;
#if WASM_ENABLE_FAST_INTERP != 0