From fd9cce0eef431e5b040d66d49fab4cd1e2f53d01 Mon Sep 17 00:00:00 2001
From: Xu Jun <693788454@qq.com>
Date: Thu, 7 Apr 2022 21:07:32 +0800
Subject: [PATCH] Add fast interpreter offset overflow check (#1076)

* check fast interpreter offset overflow
---
 core/iwasm/interpreter/wasm_loader.c      | 17 +++++++++++++++--
 core/iwasm/interpreter/wasm_mini_loader.c |  8 ++++++--
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
index 40228179..ac8bb20b 100644
--- a/core/iwasm/interpreter/wasm_loader.c
+++ b/core/iwasm/interpreter/wasm_loader.c
@@ -5317,8 +5317,12 @@ wasm_loader_push_frame_offset(WASMLoaderContext *ctx, uint8 type,
         emit_operand(ctx, ctx->dynamic_offset);
         *(ctx->frame_offset)++ = ctx->dynamic_offset;
         ctx->dynamic_offset++;
-        if (ctx->dynamic_offset > ctx->max_dynamic_offset)
+        if (ctx->dynamic_offset > ctx->max_dynamic_offset) {
             ctx->max_dynamic_offset = ctx->dynamic_offset;
+            if (ctx->max_dynamic_offset >= INT16_MAX) {
+                goto fail;
+            }
+        }
     }
 
     if (is_32bit_type(type))
@@ -5332,10 +5336,19 @@ wasm_loader_push_frame_offset(WASMLoaderContext *ctx, uint8 type,
     ctx->frame_offset++;
     if (!disable_emit) {
         ctx->dynamic_offset++;
-        if (ctx->dynamic_offset > ctx->max_dynamic_offset)
+        if (ctx->dynamic_offset > ctx->max_dynamic_offset) {
             ctx->max_dynamic_offset = ctx->dynamic_offset;
+            if (ctx->max_dynamic_offset >= INT16_MAX) {
+                goto fail;
+            }
+        }
     }
     return true;
+
+fail:
+    set_error_buf(error_buf, error_buf_size,
+                  "fast interpreter offset overflow");
+    return false;
 }
 
 /* This function should be in front of wasm_loader_pop_frame_ref
diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c
index 8f36e7ae..c12df500 100644
--- a/core/iwasm/interpreter/wasm_mini_loader.c
+++ b/core/iwasm/interpreter/wasm_mini_loader.c
@@ -3844,8 +3844,10 @@ wasm_loader_push_frame_offset(WASMLoaderContext *ctx, uint8 type,
         emit_operand(ctx, ctx->dynamic_offset);
         *(ctx->frame_offset)++ = ctx->dynamic_offset;
         ctx->dynamic_offset++;
-        if (ctx->dynamic_offset > ctx->max_dynamic_offset)
+        if (ctx->dynamic_offset > ctx->max_dynamic_offset) {
             ctx->max_dynamic_offset = ctx->dynamic_offset;
+            bh_assert(ctx->max_dynamic_offset < INT16_MAX);
+        }
     }
 
     if (is_32bit_type(type))
@@ -3859,8 +3861,10 @@ wasm_loader_push_frame_offset(WASMLoaderContext *ctx, uint8 type,
     ctx->frame_offset++;
     if (!disable_emit) {
         ctx->dynamic_offset++;
-        if (ctx->dynamic_offset > ctx->max_dynamic_offset)
+        if (ctx->dynamic_offset > ctx->max_dynamic_offset) {
             ctx->max_dynamic_offset = ctx->dynamic_offset;
+            bh_assert(ctx->max_dynamic_offset < INT16_MAX);
+        }
     }
     return true;
 }