Skip to content

Commit b8ff98c

Browse files
authored
Fix possible integer overflow in loader target block check (#3133)
Checking with `loader_ctx->csp_num < depth + 1` has potential integer overflow issue when depth is UINT_MAX, change to `loader_ctx->csp_num - 1 < depth` instead. Reported in #3130.
1 parent 1a676f2 commit b8ff98c

File tree

2 files changed

+4
-2
lines changed

2 files changed

+4
-2
lines changed

core/iwasm/interpreter/wasm_loader.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -7071,7 +7071,8 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth,
70717071
int32 i, available_stack_cell;
70727072
uint16 cell_num;
70737073

7074-
if (loader_ctx->csp_num < depth + 1) {
7074+
bh_assert(loader_ctx->csp_num > 0);
7075+
if (loader_ctx->csp_num - 1 < depth) {
70757076
set_error_buf(error_buf, error_buf_size,
70767077
"unknown label, "
70777078
"unexpected end of section or function");

core/iwasm/interpreter/wasm_mini_loader.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -5226,7 +5226,8 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth,
52265226
int32 i, available_stack_cell;
52275227
uint16 cell_num;
52285228

5229-
if (loader_ctx->csp_num < depth + 1) {
5229+
bh_assert(loader_ctx->csp_num > 0);
5230+
if (loader_ctx->csp_num - 1 < depth) {
52305231
set_error_buf(error_buf, error_buf_size,
52315232
"unknown label, "
52325233
"unexpected end of section or function");

0 commit comments

Comments
 (0)