Wasm loader enhancement: check code size in code entry (#3892)

TianlongLiang · web-flow · commit bf78863c5611 · 2024-11-07T13:38:42.000+08:00
add wasm loader check: in code entry, the code size should match the size of vec(locals) + expr, and expr should end with opcode end
diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
@@ -3610,6 +3610,17 @@ load_function_section(const uint8 *buf, const uint8 *buf_end,
 #endif
             }
 
+            /* Code size in code entry can't be smaller than size of vec(locals)
+             * + expr(at least 1 for opcode end). And expressions are encoded by
+             * their instruction sequence terminated with an explicit 0x0B
+             * opcode for end. */
+            if (p_code_end <= p_code || *(p_code_end - 1) != WASM_OP_END) {
+                set_error_buf(
+                    error_buf, error_buf_size,
+                    "section size mismatch: function body END opcode expected");
+                return false;
+            }
+
             /* Alloc memory, layout: function structure + local types */
             code_size = (uint32)(p_code_end - p_code);
 
@@ -15837,15 +15848,12 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
     }
 
     if (loader_ctx->csp_num > 0) {
-        if (cur_func_idx < module->function_count - 1)
-            /* Function with missing end marker (between two functions) */
-            set_error_buf(error_buf, error_buf_size, "END opcode expected");
-        else
-            /* Function with missing end marker
-               (at EOF or end of code sections) */
-            set_error_buf(error_buf, error_buf_size,
-                          "unexpected end of section or function, "
-                          "or section size mismatch");
+        /* unmatched end opcodes result from unbalanced control flow structures,
+         * for example, br_table with inconsistent target count (1 declared, 2
+         * given), or simply superfluous end opcodes */
+        set_error_buf(
+            error_buf, error_buf_size,
+            "unexpected end opcodes from unbalanced control flow structures");
         goto fail;
     }
 
diff --git a/core/iwasm/interpreter/wasm_mini_loader.c b/core/iwasm/interpreter/wasm_mini_loader.c
@@ -1183,6 +1183,8 @@ load_function_section(const uint8 *buf, const uint8 *buf_end,
                 local_count += sub_local_count;
             }
 
+            bh_assert(p_code_end > p_code && *(p_code_end - 1) == WASM_OP_END);
+
             /* Alloc memory, layout: function structure + local types */
             code_size = (uint32)(p_code_end - p_code);
 

Original file line number	Diff line number	Diff line change
`@@ -1183,6 +1183,8 @@ load_function_section(const uint8 buf, const uint8 buf_end,`
`1183`	`1183`	`local_count += sub_local_count;`
`1184`	`1184`	`}`
`1185`	`1185`
	`1186`	`+ bh_assert(p_code_end > p_code && *(p_code_end - 1) == WASM_OP_END);`
	`1187`	`+`
`1186`	`1188`	`/* Alloc memory, layout: function structure + local types */`
`1187`	`1189`	`code_size = (uint32)(p_code_end - p_code);`
`1188`	`1190`