Add integer overflow check for some indices in wasm/aot loader (#3579)
Check whether the indices overflow UINT32_MAX or not for: - import function count + function count - import global count + global count - import tag count + tag count This PR fixes the issue reported by Oss-fuzz test (#69920).
This commit is contained in:
@ -3627,6 +3627,10 @@ load_function_section(const uint8 *buf, const uint8 *buf_end,
|
||||
return false;
|
||||
}
|
||||
|
||||
if (is_indices_overflow(module->import_function_count, func_count,
|
||||
error_buf, error_buf_size))
|
||||
return false;
|
||||
|
||||
if (func_count) {
|
||||
module->function_count = func_count;
|
||||
total_size = sizeof(WASMFunction *) * (uint64)func_count;
|
||||
@ -4022,6 +4026,9 @@ load_global_section(const uint8 *buf, const uint8 *buf_end, WASMModule *module,
|
||||
#endif
|
||||
|
||||
read_leb_uint32(p, p_end, global_count);
|
||||
if (is_indices_overflow(module->import_global_count, global_count,
|
||||
error_buf, error_buf_size))
|
||||
return false;
|
||||
|
||||
module->global_count = 0;
|
||||
if (global_count) {
|
||||
@ -4921,6 +4928,10 @@ load_tag_section(const uint8 *buf, const uint8 *buf_end, const uint8 *buf_code,
|
||||
|
||||
/* get tag count */
|
||||
read_leb_uint32(p, p_end, section_tag_count);
|
||||
if (is_indices_overflow(module->import_tag_count, section_tag_count,
|
||||
error_buf, error_buf_size))
|
||||
return false;
|
||||
|
||||
module->tag_count = section_tag_count;
|
||||
|
||||
if (section_tag_count) {
|
||||
|
||||
Reference in New Issue
Block a user