This commit fixes a mistake that was introduced in https://github.com/bytecodealliance/wasm-tools/pull/1587 which was first
released as 1.210.0 as part of wasm-tools. In https://github.com/bytecodealliance/wasm-tools/pull/1587 control flow was
restructured in the validator to expose an out-of-bounds access of
self.control when a function has instructions after the final end
instruction. The fix in this commit is to apply the same logic as
check_return which is to explicitly check for the length of the
control stack and return an error.
This bug comes from how instructions-after-end are detected in the
validator. Notably this erroneous condition is checked when the
functions reaches EOF, not when the control stack is emptied. This is to
avoid checking at all instructions that the control stack has a length
greater than one and to instead defer that check to only instructions
that need it. This susprising behavior, though, ended up leading to this
bug.
This commit fixes a mistake that was introduced in https://github.com/bytecodealliance/wasm-tools/pull/1587 which was first released as 1.210.0 as part of
wasm-tools
. In https://github.com/bytecodealliance/wasm-tools/pull/1587 control flow was restructured in the validator to expose an out-of-bounds access ofself.control
when a function has instructions after the finalend
instruction. The fix in this commit is to apply the same logic ascheck_return
which is to explicitly check for the length of thecontrol
stack and return an error.This bug comes from how instructions-after-
end
are detected in the validator. Notably this erroneous condition is checked when the functions reaches EOF, not when the control stack is emptied. This is to avoid checking at all instructions that the control stack has a length greater than one and to instead defer that check to only instructions that need it. This susprising behavior, though, ended up leading to this bug.