From f0aee7529abd57855e726da0d421d999027b1261 Mon Sep 17 00:00:00 2001 From: Wenyong Huang Date: Wed, 24 Apr 2024 16:08:16 +0800 Subject: [PATCH 1/3] Enhance wasm loader checks for opcode br_table --- core/iwasm/interpreter/wasm_loader.c | 29 ++++++++++------------- core/iwasm/interpreter/wasm_mini_loader.c | 29 +++++++++++++++-------- 2 files changed, 32 insertions(+), 26 deletions(-) diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c index 9aab9febd6..1bc51d7b90 100644 --- a/core/iwasm/interpreter/wasm_loader.c +++ b/core/iwasm/interpreter/wasm_loader.c @@ -293,7 +293,10 @@ type2str(uint8 type) static bool is_32bit_type(uint8 type) { - if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 + if (type == VALUE_TYPE_I32 + || type == VALUE_TYPE_F32 + /* the operand stack is in polymorphic state */ + || type == VALUE_TYPE_ANY #if WASM_ENABLE_GC != 0 || (sizeof(uintptr_t) == 4 && wasm_is_type_reftype(type)) #elif WASM_ENABLE_REF_TYPES != 0 @@ -11533,16 +11536,17 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, #endif POP_I32(); - /* Get the default depth and check it */ + /* Get each depth and check it */ p_org = p; for (i = 0; i <= count; i++) { read_leb_uint32(p, p_end, depth); - } - if (loader_ctx->csp_num < depth + 1) { - set_error_buf(error_buf, error_buf_size, - "unknown label, " - "unexpected end of section or function"); - goto fail; + bh_assert(loader_ctx->csp_num > 0); + if (loader_ctx->csp_num - 1 < depth) { + set_error_buf(error_buf, error_buf_size, + "unknown label, " + "unexpected end of section or function"); + goto fail; + } } p = p_org; @@ -11558,12 +11562,6 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, for (i = 0; i <= count; i++) { p_org = p; read_leb_uint32(p, p_end, depth); - if (loader_ctx->csp_num < depth + 1) { - set_error_buf(error_buf, error_buf_size, - "unknown label, " - "unexpected end of section or function"); - goto fail; - } p = p_org; /* Get the target block's arity and check it */ @@ -11965,8 +11963,7 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, loader_ctx->reftype_map_num--; } #endif - if (is_32bit_type(*(loader_ctx->frame_ref - 1)) - || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) { + if (is_32bit_type(*(loader_ctx->frame_ref - 1))) { loader_ctx->frame_ref--; loader_ctx->stack_cell_num--; #if WASM_ENABLE_FAST_INTERP != 0 diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c index d5282c6756..3ac8bc54de 100644 --- a/core/iwasm/interpreter/wasm_mini_loader.c +++ b/core/iwasm/interpreter/wasm_mini_loader.c @@ -67,7 +67,10 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string) static bool is_32bit_type(uint8 type) { - if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 + if (type == VALUE_TYPE_I32 + || type == VALUE_TYPE_F32 + /* the operand stack is in polymorphic state */ + || VALUE_TYPE_ANY #if WASM_ENABLE_REF_TYPES != 0 || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF #endif @@ -4237,7 +4240,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf, ctx->frame_ref--; ctx->stack_cell_num--; - if (is_32bit_type(type) || *ctx->frame_ref == VALUE_TYPE_ANY) + if (is_32bit_type(type)) return true; ctx->frame_ref--; @@ -6353,11 +6356,9 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, uint8 *ret_types = NULL; uint32 ret_count = 0; #if WASM_ENABLE_FAST_INTERP == 0 - uint8 *p_depth_begin, *p_depth; - uint32 depth, j; BrTableCache *br_table_cache = NULL; - - p_org = p - 1; + uint8 *p_depth_begin, *p_depth, *p_ocode = p - 1; + uint32 depth, j; #endif read_leb_uint32(p, p_end, count); @@ -6366,6 +6367,15 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, #endif POP_I32(); + /* Get each depth and check it */ + p_org = p; + for (i = 0; i <= count; i++) { + read_leb_uint32(p, p_end, depth); + bh_assert(loader_ctx->csp_num > 0); + bh_assert(loader_ctx->csp_num - 1 >= depth); + } + p = p_org; + #if WASM_ENABLE_FAST_INTERP == 0 p_depth_begin = p_depth = p; #endif @@ -6391,8 +6401,8 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, error_buf, error_buf_size))) { goto fail; } - *p_org = EXT_OP_BR_TABLE_CACHE; - br_table_cache->br_table_op_addr = p_org; + *p_code = EXT_OP_BR_TABLE_CACHE; + br_table_cache->br_table_op_addr = p_opcode; br_table_cache->br_count = count; /* Copy previous depths which are one byte */ for (j = 0; j < i; j++) { @@ -6623,8 +6633,7 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, && !cur_block->is_stack_polymorphic)); if (available_stack_cell > 0) { - if (is_32bit_type(*(loader_ctx->frame_ref - 1)) - || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) { + if (is_32bit_type(*(loader_ctx->frame_ref - 1))) { loader_ctx->frame_ref--; loader_ctx->stack_cell_num--; #if WASM_ENABLE_FAST_INTERP != 0 From e185eaa5bf966c2ec0ed65941d134561ced59850 Mon Sep 17 00:00:00 2001 From: Wenyong Huang Date: Wed, 24 Apr 2024 16:15:41 +0800 Subject: [PATCH 2/3] fix typo --- core/iwasm/interpreter/wasm_mini_loader.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c index 3ac8bc54de..c2daf83880 100644 --- a/core/iwasm/interpreter/wasm_mini_loader.c +++ b/core/iwasm/interpreter/wasm_mini_loader.c @@ -70,7 +70,7 @@ is_32bit_type(uint8 type) if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 /* the operand stack is in polymorphic state */ - || VALUE_TYPE_ANY + || type == VALUE_TYPE_ANY #if WASM_ENABLE_REF_TYPES != 0 || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF #endif @@ -6357,7 +6357,7 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, uint32 ret_count = 0; #if WASM_ENABLE_FAST_INTERP == 0 BrTableCache *br_table_cache = NULL; - uint8 *p_depth_begin, *p_depth, *p_ocode = p - 1; + uint8 *p_depth_begin, *p_depth, *p_opcode = p - 1; uint32 depth, j; #endif @@ -6401,7 +6401,7 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, error_buf, error_buf_size))) { goto fail; } - *p_code = EXT_OP_BR_TABLE_CACHE; + *p_opcode = EXT_OP_BR_TABLE_CACHE; br_table_cache->br_table_op_addr = p_opcode; br_table_cache->br_count = count; /* Copy previous depths which are one byte */ From 7512c0b79c26558f173c3ee85db77be21cdd8c42 Mon Sep 17 00:00:00 2001 From: Wenyong Huang Date: Wed, 24 Apr 2024 16:23:36 +0800 Subject: [PATCH 3/3] fix build error --- core/iwasm/interpreter/wasm_mini_loader.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c index c2daf83880..20084e146d 100644 --- a/core/iwasm/interpreter/wasm_mini_loader.c +++ b/core/iwasm/interpreter/wasm_mini_loader.c @@ -6354,11 +6354,11 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, case WASM_OP_BR_TABLE: { uint8 *ret_types = NULL; - uint32 ret_count = 0; + uint32 ret_count = 0, depth = 0; #if WASM_ENABLE_FAST_INTERP == 0 BrTableCache *br_table_cache = NULL; uint8 *p_depth_begin, *p_depth, *p_opcode = p - 1; - uint32 depth, j; + uint32 j; #endif read_leb_uint32(p, p_end, count); @@ -6373,6 +6373,7 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func, read_leb_uint32(p, p_end, depth); bh_assert(loader_ctx->csp_num > 0); bh_assert(loader_ctx->csp_num - 1 >= depth); + (void)depth; } p = p_org;