Add overflow check for preserved local offset in preserve_referenced_local

lum1n0us · lum1n0us · commit 3cf5d5fe56e0 · 2025-04-27T12:54:19.000Z
diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
@@ -9197,6 +9197,15 @@ preserve_referenced_local(WASMLoaderContext *loader_ctx, uint8 opcode,
                         loader_ctx->preserved_local_offset += 2;
                     emit_label(EXT_OP_COPY_STACK_TOP_I64);
                 }
+
+                /* overflow */
+                if (preserved_offset > loader_ctx->preserved_local_offset) {
+                    set_error_buf_v(error_buf, error_buf_size,
+                                    "too much local cells 0x%x",
+                                    loader_ctx->preserved_local_offset);
+                    return false;
+                }
+
                 emit_operand(loader_ctx, local_index);
                 emit_operand(loader_ctx, preserved_offset);
                 emit_label(opcode);
diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c
@@ -4778,6 +4778,11 @@ preserve_referenced_local(WASMLoaderContext *loader_ctx, uint8 opcode,
                         loader_ctx->preserved_local_offset += 2;
                     emit_label(EXT_OP_COPY_STACK_TOP_I64);
                 }
+
+                /* overflow */
+                bh_assert(preserved_offset
+                          > loader_ctx->preserved_local_offset);
+
                 emit_operand(loader_ctx, local_index);
                 emit_operand(loader_ctx, preserved_offset);
                 emit_label(opcode);
