Fix OSS-Fuzz issues

source/m3_bind.c

@@ -82,7 +82,7 @@ _   (AllocFuncType (& funcType, (u32) maxNumTypes));
         }
         else
         {
-            _throwif ("malformed signature; arg count overflow", funcType->numRets + funcType->numArgs >= maxNumTypes);
+            _throwif ("malformed signature; arg count overflow", (u32)(funcType->numRets) + funcType->numArgs >= maxNumTypes);
             funcType->numArgs++;
             *typelist++ = type;
         }

source/m3_compile.c

@@ -2206,8 +2206,7 @@ const M3OpInfo*  GetOpInfo  (m3opcode_t opcode)
 M3Result  Compile_BlockStatements  (IM3Compilation o)
 {
     M3Result result = m3Err_none;
-
-    _throwif ("block code underrun", o->wasm >= o->wasmEnd);
+    bool ended = false;
 
     while (o->wasm < o->wasmEnd)
     {                                                                   emit_stack_dump (o);
@@ -2241,9 +2240,12 @@ _           (Compile_Operator (o, opcode));
         if (o->stackIndex > d_m3MaxFunctionStackHeight)         // TODO: is this only place to check?
             _throw (m3Err_functionStackOverflow);
 
-        if (opcode == c_waOp_end or opcode == c_waOp_else)
+        if (opcode == c_waOp_end or opcode == c_waOp_else) {
+            ended = true;
             break;
+        }
     }
+    _throwif(m3Err_wasmMalformed, !(ended));
 
 _catch:
     return result;

source/m3_core.h

@@ -165,6 +165,7 @@ M3CodePageHeader;
 #define d_m3MaxSaneGlobalsCount             100000
 #define d_m3MaxSaneElementSegments          100000
 #define d_m3MaxSaneDataSegments             100000
+#define d_m3MaxSaneTableSize                100000
 #define d_m3MaxSaneUtf8Length               10000
 #define d_m3MaxSaneFunctionArgRetCount      1000    // still insane, but whatever
 

source/m3_env.c

@@ -466,16 +466,15 @@ _       (EvaluateExpression (io_module, & segmentOffset, c_m3Type_i32, & start,
 
         m3log (runtime, "loading data segment: %d; size: %d; offset: %d", i, segment->size, segmentOffset);
 
-        if (io_memory->mallocated)
+        _throwif ("unallocated linear memory", !(io_memory->mallocated));
+
+        if (segmentOffset > 0 && (size_t) segmentOffset + segment->size <= io_memory->mallocated->length)
         {
             u8 * dest = m3MemData (io_memory->mallocated) + segmentOffset;
-
-            if ((size_t) segmentOffset + segment->size <= io_memory->mallocated->length)
-                memcpy (dest, segment->data, segment->size);
-            else
-                _throw ("data segment overflowing linear memory");
+            memcpy (dest, segment->data, segment->size);
+        } else {
+            _throw ("data segment out of bounds");
         }
-        else _throw ("unallocated linear memory");
     }
 
     _catch: return result;
@@ -503,12 +502,12 @@ _           (EvaluateExpression (io_module, & offset, c_m3Type_i32, & bytes, end
             u32 numElements;
 _           (ReadLEB_u32 (& numElements, & bytes, end));
 
-            size_t endElement = numElements + offset;
+            size_t endElement = (size_t)(numElements) + offset;
+            _throwif ("table overflow", endElement > d_m3MaxSaneTableSize);
 
             io_module->table0 = m3_ReallocArray (IM3Function, io_module->table0, endElement, io_module->table0Size);
             _throwifnull(io_module->table0);
 
-            _throwif ("table overflow", endElement > UINT_MAX)
             io_module->table0Size = (u32) endElement;
 
             for (u32 e = 0; e < numElements; ++e)

source/m3_parse.c

@@ -82,8 +82,7 @@ _               (NormalizeType (& argType, wasmType));
 
             u32 numRets;
 _           (ReadLEB_u32 (& numRets, & i_bytes, i_end));
-
-            _throwif (m3Err_tooManyArgsRets, numRets + numArgs > d_m3MaxSaneFunctionArgRetCount);
+            _throwif (m3Err_tooManyArgsRets, (u64)(numRets) + numArgs > d_m3MaxSaneFunctionArgRetCount);
 
 _           (AllocFuncType (& ftype, numRets + numArgs));
             ftype->numArgs = numArgs;