add validation for recursive type count in loader (#4522)

kylo5aby · web-flow · commit aad186626074 · 2025-07-31T16:19:08.000+08:00
diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
@@ -400,8 +400,7 @@ check_array_type(const WASMModule *module, uint32 type_index, char *error_buf,
                           error_buf_size)) {
         return false;
     }
-    if (module->types[type_index] == NULL
-        || module->types[type_index]->type_flag != WASM_TYPE_ARRAY) {
+    if (module->types[type_index]->type_flag != WASM_TYPE_ARRAY) {
         set_error_buf(error_buf, error_buf_size, "unknown array type");
         return false;
     }
@@ -424,8 +423,7 @@ check_function_type(const WASMModule *module, uint32 type_index,
     }
 
 #if WASM_ENABLE_GC != 0
-    if (module->types[type_index] == NULL
-        || module->types[type_index]->type_flag != WASM_TYPE_FUNC) {
+    if (module->types[type_index]->type_flag != WASM_TYPE_FUNC) {
         set_error_buf(error_buf, error_buf_size, "unknown function type");
         return false;
     }
@@ -1257,9 +1255,8 @@ load_init_expr(WASMModule *module, const uint8 **p_buf, const uint8 *buf_end,
                                               error_buf_size)) {
                             goto fail;
                         }
-                        if (module->types[type_idx] == NULL
-                            || module->types[type_idx]->type_flag
-                                   != WASM_TYPE_STRUCT) {
+                        if (module->types[type_idx]->type_flag
+                            != WASM_TYPE_STRUCT) {
                             set_error_buf(error_buf, error_buf_size,
                                           "unknown struct type");
                             goto fail;
@@ -2499,6 +2496,13 @@ load_type_section(const uint8 *buf, const uint8 *buf_end, WASMModule *module,
 #endif /* end of WASM_ENABLE_GC == 0 */
     }
 
+    for (i = 0; i < module->type_count; i++) {
+        if (module->types[i] == NULL) {
+            set_error_buf_v(error_buf, error_buf_size, "unknown type %d", i);
+            return false;
+        }
+    }
+
     if (p != p_end) {
         set_error_buf(error_buf, error_buf_size, "section size mismatch");
         return false;
@@ -12685,9 +12689,7 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                                           error_buf, error_buf_size)) {
                         goto fail;
                     }
-                    if (module->types[type_idx1] == NULL
-                        || module->types[type_idx1]->type_flag
-                               != WASM_TYPE_FUNC) {
+                    if (module->types[type_idx1]->type_flag != WASM_TYPE_FUNC) {
                         set_error_buf(error_buf, error_buf_size,
                                       "unknown function type");
                         goto fail;
@@ -12704,9 +12706,7 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                                           error_buf, error_buf_size)) {
                         goto fail;
                     }
-                    if (module->types[type_idx] == NULL
-                        || module->types[type_idx]->type_flag
-                               != WASM_TYPE_FUNC) {
+                    if (module->types[type_idx]->type_flag != WASM_TYPE_FUNC) {
                         set_error_buf(error_buf, error_buf_size,
                                       "unknown function type");
                         goto fail;
@@ -14542,9 +14542,8 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                                               error_buf_size)) {
                             goto fail;
                         }
-                        if (module->types[type_idx] == NULL
-                            || module->types[type_idx]->type_flag
-                                   != WASM_TYPE_STRUCT) {
+                        if (module->types[type_idx]->type_flag
+                            != WASM_TYPE_STRUCT) {
                             set_error_buf(error_buf, error_buf_size,
                                           "unknown struct type");
                             goto fail;
@@ -14630,9 +14629,8 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                                               error_buf_size)) {
                             goto fail;
                         }
-                        if (module->types[type_idx] == NULL
-                            || module->types[type_idx]->type_flag
-                                   != WASM_TYPE_STRUCT) {
+                        if (module->types[type_idx]->type_flag
+                            != WASM_TYPE_STRUCT) {
                             set_error_buf(error_buf, error_buf_size,
                                           "unknown struct type");
                             goto fail;
