Skip to content

Commit 6db91d7

Browse files
sumleosumleo
authored
Fix off-by-one in AOT func_index bounds checks (#4836)
The AOT relocation loader validates func_index using: (func_index = (uint32)atoi(p)) > module->func_count Since func_ptrs is an array of func_count elements (indices 0 to func_count-1), func_index == func_count is out of bounds. The check must use >= instead of > to reject this boundary case. Fix all 4 affected locations in aot_loader.c.
1 parent e71bf6e commit 6db91d7

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

core/iwasm/aot/aot_loader.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3228,7 +3228,7 @@ do_text_relocation(AOTModule *module, AOTRelocationGroup *group,
32283228
if (!strncmp(symbol, AOT_FUNC_PREFIX, strlen(AOT_FUNC_PREFIX))) {
32293229
p = symbol + strlen(AOT_FUNC_PREFIX);
32303230
if (*p == '\0'
3231-
|| (func_index = (uint32)atoi(p)) > module->func_count) {
3231+
|| (func_index = (uint32)atoi(p)) >= module->func_count) {
32323232
set_error_buf_v(error_buf, error_buf_size,
32333233
"invalid import symbol %s", symbol);
32343234
goto check_symbol_fail;
@@ -3262,7 +3262,7 @@ do_text_relocation(AOTModule *module, AOTRelocationGroup *group,
32623262
strlen("_" AOT_FUNC_PREFIX))) {
32633263
p = symbol + strlen("_" AOT_FUNC_PREFIX);
32643264
if (*p == '\0'
3265-
|| (func_index = (uint32)atoi(p)) > module->func_count) {
3265+
|| (func_index = (uint32)atoi(p)) >= module->func_count) {
32663266
set_error_buf_v(error_buf, error_buf_size, "invalid symbol %s",
32673267
symbol);
32683268
goto check_symbol_fail;
@@ -3273,7 +3273,7 @@ do_text_relocation(AOTModule *module, AOTRelocationGroup *group,
32733273
strlen("_" AOT_FUNC_INTERNAL_PREFIX))) {
32743274
p = symbol + strlen("_" AOT_FUNC_INTERNAL_PREFIX);
32753275
if (*p == '\0'
3276-
|| (func_index = (uint32)atoi(p)) > module->func_count) {
3276+
|| (func_index = (uint32)atoi(p)) >= module->func_count) {
32773277
set_error_buf_v(error_buf, error_buf_size, "invalid symbol %s",
32783278
symbol);
32793279
goto check_symbol_fail;
@@ -3463,7 +3463,7 @@ do_data_relocation(AOTModule *module, AOTRelocationGroup *group,
34633463
char *p = symbol + strlen(AOT_FUNC_PREFIX);
34643464
uint32 func_index;
34653465
if (*p == '\0'
3466-
|| (func_index = (uint32)atoi(p)) > module->func_count) {
3466+
|| (func_index = (uint32)atoi(p)) >= module->func_count) {
34673467
set_error_buf_v(error_buf, error_buf_size,
34683468
"invalid relocation symbol %s", symbol);
34693469
return false;

0 commit comments

Comments
 (0)