Fix issue of wasm/aot file malformed format (#853)

Fix possible integer overflow unchecked issue when checking
wasm/aot file format.

core/iwasm/aot/aot_loader.c

@@ -90,7 +90,7 @@ static bool
 check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length,
           char *error_buf, uint32 error_buf_size)
 {
-    if (buf + length > buf_end) {
+    if (buf + length < buf || buf + length > buf_end) {
         set_error_buf(error_buf, error_buf_size, "unexpect end");
         return false;
     }

core/iwasm/interpreter/wasm_loader.c

@@ -47,7 +47,7 @@ static bool
 check_buf(const uint8 *buf, const uint8 *buf_end, uint32 length,
           char *error_buf, uint32 error_buf_size)
 {
-    if (buf + length > buf_end) {
+    if (buf + length < buf || buf + length > buf_end) {
         set_error_buf(error_buf, error_buf_size,
                       "unexpected end of section or function");
         return false;
@@ -59,7 +59,7 @@ static bool
 check_buf1(const uint8 *buf, const uint8 *buf_end, uint32 length,
            char *error_buf, uint32 error_buf_size)
 {
-    if (buf + length > buf_end) {
+    if (buf + length < buf || buf + length > buf_end) {
         set_error_buf(error_buf, error_buf_size, "unexpected end");
         return false;
     }
@@ -1034,7 +1034,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end,
     bool linked_call_conv_raw = false;
     bool is_native_symbol = false;
 
-    CHECK_BUF(p, p_end, 1);
     read_leb_uint32(p, p_end, declare_type_index);
     *p_buf = p;
 
@@ -3335,7 +3334,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list,
                 }
                 last_section_index = section_index;
             }
-            CHECK_BUF1(p, p_end, 1);
             read_leb_uint32(p, p_end, section_size);
             CHECK_BUF1(p, p_end, section_size);
 

core/iwasm/interpreter/wasm_mini_loader.c

@@ -25,14 +25,14 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string)
                  string);
 }
 
-#define CHECK_BUF(buf, buf_end, length)     \
-    do {                                    \
-        bh_assert(buf + length <= buf_end); \
+#define CHECK_BUF(buf, buf_end, length)                            \
+    do {                                                           \
+        bh_assert(buf + length >= buf && buf + length <= buf_end); \
     } while (0)
 
-#define CHECK_BUF1(buf, buf_end, length)    \
-    do {                                    \
-        bh_assert(buf + length <= buf_end); \
+#define CHECK_BUF1(buf, buf_end, length)                           \
+    do {                                                           \
+        bh_assert(buf + length >= buf && buf + length <= buf_end); \
     } while (0)
 
 #define skip_leb(p) while (*p++ & 0x80)
@@ -45,7 +45,7 @@ is_32bit_type(uint8 type)
 {
     if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
 #if WASM_ENABLE_REF_TYPES != 0
-        || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF)
+        || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
 #endif
     )
         return true;
@@ -412,7 +412,6 @@ load_function_import(const uint8 **p_buf, const uint8 *buf_end,
     void *linked_attachment = NULL;
     bool linked_call_conv_raw = false;
 
-    CHECK_BUF(p, p_end, 1);
     read_leb_uint32(p, p_end, declare_type_index);
     *p_buf = p;
 
@@ -2232,7 +2231,6 @@ create_sections(const uint8 *buf, uint32 size, WASMSection **p_section_list,
                           || last_section_index < section_index);
                 last_section_index = section_index;
             }
-            CHECK_BUF1(p, p_end, 1);
             read_leb_uint32(p, p_end, section_size);
             CHECK_BUF1(p, p_end, section_size);