@@ -1730,6 +1730,12 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
17301730 (void )u8 ;
17311731
17321732 read_uint32 (buf , buf_end , j );
1733+ #if WASM_ENABLE_AOT_VALIDATOR != 0
1734+ if (j >= module -> type_count ) {
1735+ set_error_buf (error_buf , error_buf_size , "invalid type index" );
1736+ goto fail ;
1737+ }
1738+ #endif
17331739 if (module -> types [j ]-> ref_count == UINT16_MAX ) {
17341740 set_error_buf (error_buf , error_buf_size ,
17351741 "wasm type's ref count too large" );
@@ -1993,6 +1999,13 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
19931999 AOTType * cur_type = module -> types [j ];
19942000 parent_type_idx = cur_type -> parent_type_idx ;
19952001 if (parent_type_idx != (uint32 )- 1 ) { /* has parent */
2002+ #if WASM_ENABLE_AOT_VALIDATOR != 0
2003+ if (parent_type_idx >= module -> type_count ) {
2004+ set_error_buf (error_buf , error_buf_size ,
2005+ "invalid parent type index" );
2006+ goto fail ;
2007+ }
2008+ #endif
19962009 AOTType * parent_type = module -> types [parent_type_idx ];
19972010
19982011 module -> types [j ]-> parent_type = parent_type ;
@@ -2016,6 +2029,13 @@ load_types(const uint8 **p_buf, const uint8 *buf_end, AOTModule *module,
20162029 AOTType * cur_type = module -> types [j ];
20172030 parent_type_idx = cur_type -> parent_type_idx ;
20182031 if (parent_type_idx != (uint32 )- 1 ) { /* has parent */
2032+ #if WASM_ENABLE_AOT_VALIDATOR != 0
2033+ if (parent_type_idx >= module -> type_count ) {
2034+ set_error_buf (error_buf , error_buf_size ,
2035+ "invalid parent type index" );
2036+ goto fail ;
2037+ }
2038+ #endif
20192039 AOTType * parent_type = module -> types [parent_type_idx ];
20202040 /* subtyping has been checked during compilation */
20212041 bh_assert (wasm_type_is_subtype_of (
0 commit comments