Fix module instantiation bug: out of bounds memory access (#1531)

Robbepop · web-flow · commit 2254f91b7300 · 2025-06-03T11:08:52.000+02:00
* add regression test

* fix instantiation bug

* apply rustfmt

* apply clippy suggestion
diff --git a/crates/wasmi/src/module/instantiate/mod.rs b/crates/wasmi/src/module/instantiate/mod.rs
@@ -7,7 +7,7 @@ mod tests;
 pub use self::{error::InstantiationError, pre::InstancePre};
 use super::{element::ElementSegmentKind, export, ConstExpr, InitDataSegment, Module};
 use crate::{
-    core::UntypedVal,
+    core::{MemoryError, UntypedVal},
     error::ErrorKind,
     func::WasmFuncEntity,
     memory::DataSegment,
@@ -368,10 +368,12 @@ impl Module {
                     offset,
                     bytes,
                 } => {
-                    let offset =
-                        u32::from(Self::eval_init_expr(context.as_context(), builder, offset))
-                            as usize;
                     let memory = builder.get_memory(memory_index.into_u32());
+                    let offset = Self::eval_init_expr(context.as_context(), builder, offset);
+                    let offset = match usize::try_from(u64::from(offset)) {
+                        Ok(offset) => offset,
+                        Err(_) => return Err(Error::from(MemoryError::OutOfBoundsAccess)),
+                    };
                     memory.write(context.as_context_mut(), offset, bytes)?;
                     DataSegment::new_active(context.as_context_mut())
                 }
diff --git a/crates/wasmi/tests/integration/instantitation.rs b/crates/wasmi/tests/integration/instantitation.rs
@@ -0,0 +1,16 @@
+use wasmi::{Engine, Instance, Module, Store};
+
+#[test]
+fn instantiate_out_of_memory() {
+    let wasm = r#"
+        (module
+            (memory (;0;) i64 1 1)
+            (func (export ""))
+            (data (i64.const -1095216660480) "\ff")
+        )
+    "#;
+    let engine = Engine::default();
+    let module = Module::new(&engine, wasm).unwrap();
+    let mut store = Store::new(&engine, ());
+    Instance::new(&mut store, &module, &[]).unwrap_err();
+}
diff --git a/crates/wasmi/tests/integration/mod.rs b/crates/wasmi/tests/integration/mod.rs
@@ -5,5 +5,6 @@ mod func;
 mod host_call_compilation;
 mod host_call_instantiation;
 mod host_calls_wasm;
+mod instantitation;
 mod resource_limiter;
 mod resumable_call;
