From 89f1524b51b17fde9d9cc9cce950a13215af6cbc Mon Sep 17 00:00:00 2001
From: "liang.he@intel.com" <liang.he@intel.com>
Date: Fri, 25 Oct 2024 02:07:25 +0000
Subject: [PATCH] Fix out of bounds issue in is_native_addr_in_shared_heap
 function

When checking for integer overflow, you may often write tests like p + i < p.
This works fine if p and i are unsigned integers, since any overflow in the
addition will cause the value to simply "wrap around." However, using this
pattern when p is a pointer is problematic because pointer overflow has
undefined behavior according to the C and C++ standards. If the addition
overflows and has an undefined result, the comparison will likewise be
undefined; it may produce an unintended result, or may be deleted entirely
by an optimizing compiler.
---
 core/iwasm/common/wasm_memory.c | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/core/iwasm/common/wasm_memory.c b/core/iwasm/common/wasm_memory.c
index 5f5a1be90c..f1afe23677 100644
--- a/core/iwasm/common/wasm_memory.c
+++ b/core/iwasm/common/wasm_memory.c
@@ -420,13 +420,28 @@ is_native_addr_in_shared_heap(WASMModuleInstanceCommon *module_inst,
                               uint8 *addr, uint32 bytes)
 {
     WASMSharedHeap *heap = get_shared_heap(module_inst);
+    uintptr_t base_addr = (uintptr_t)heap->base_addr;
+    uintptr_t addr_int = (uintptr_t)addr;
+    uintptr_t end_addr = addr_int + bytes;
 
-    if (heap && addr >= heap->base_addr
-        && addr + bytes <= heap->base_addr + heap->size
-        && addr + bytes > addr) {
-        return true;
+    if (!heap) {
+        return false;
     }
-    return false;
+
+    if (addr_int < base_addr) {
+        return false;
+    }
+
+    // Check for overflow
+    if (end_addr < addr_int) {
+        return false;
+    }
+
+    if (end_addr > base_addr + heap->size) {
+        return false;
+    }
+
+    return true;
 }
 
 uint64