Skip to content

Fix off-by-one in AOT func_index bounds checks#4836

Merged
lum1n0us merged 1 commit intobytecodealliance:mainfrom
sumleo:fix/aot-func-index-off-by-one
Feb 13, 2026
Merged

Fix off-by-one in AOT func_index bounds checks#4836
lum1n0us merged 1 commit intobytecodealliance:mainfrom
sumleo:fix/aot-func-index-off-by-one

Conversation

@sumleo
Copy link
Contributor

@sumleo sumleo commented Feb 12, 2026

The AOT relocation loader validates func_index parsed from symbols like aot_func#N using:

(func_index = (uint32)atoi(p)) > module->func_count

Since func_ptrs is allocated with exactly func_count elements (indices 0 to func_count-1), func_index == func_count is out of bounds but passes the > check.

This patch changes > to >= in all 4 affected locations in do_text_relocation() and do_data_relocation().

@TianlongLiang
Copy link
Contributor

The modification is valid, but you may want to modify the unit test case, current it's not make any sense, I suggest modify to actually cover your modification, or simply remove it would be fine too.

The AOT relocation loader validates func_index using:
  (func_index = (uint32)atoi(p)) > module->func_count

Since func_ptrs is an array of func_count elements (indices 0 to
func_count-1), func_index == func_count is out of bounds. The check
must use >= instead of > to reject this boundary case.

Fix all 4 affected locations in aot_loader.c.
@sumleo sumleo force-pushed the fix/aot-func-index-off-by-one branch from 13c7aef to 198fee8 Compare February 12, 2026 01:31
@sumleo
Copy link
Contributor Author

sumleo commented Feb 12, 2026

Removed.

@lum1n0us lum1n0us merged commit 6db91d7 into bytecodealliance:main Feb 13, 2026
504 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments