Home Explore Help
Sign In
bytecodealliance
/
wasm-micro-runtime
mirror of https://github-proxy.rt-thread.io/bytecodealliance/wasm-micro-runtime.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix off-by-one in aot_alloc_tiny_frame overflow check (#4845)

* Fix off-by-one in aot_alloc_tiny_frame overflow check

The boundary check in aot_alloc_tiny_frame only verifies that
new_frame itself doesn't exceed top_boundary, but doesn't account
for the sizeof(AOTTinyFrame) bytes that are about to be written.
When new_frame equals top_boundary exactly, the check passes but
the subsequent write to new_frame->func_index goes past the
boundary. This matches the correct pattern used in
aot_alloc_frame (line 4086) which includes the frame size.
Yi Liu 1 day ago
parent
01f4ff4cdb
commit
595dcd564f
1 changed files with 2 additions and 1 deletions
Split View Show Diff Stats
  1. 2 1
      core/iwasm/aot/aot_runtime.c

+ 2 - 1
core/iwasm/aot/aot_runtime.c
View File 

@@ -4176,7 +4176,8 @@ aot_alloc_tiny_frame(WASMExecEnv *exec_env, uint32 func_index)
 
 {
 
     AOTTinyFrame *new_frame = (AOTTinyFrame *)exec_env->wasm_stack.top;
 
 
-    if ((uint8 *)new_frame > exec_env->wasm_stack.top_boundary) {
 
+    if ((uint8 *)new_frame + sizeof(AOTTinyFrame)
 
+        > exec_env->wasm_stack.top_boundary) {
 
         aot_set_exception((WASMModuleInstance *)exec_env->module_inst,
 
                           "wasm operand stack overflow");
 
         return false;