Fix integer overflow in DRC free list (#13110)

fitzgen · web-flow · commit d5f1b973e48b · 2026-04-15T20:24:19.000Z
Fixes #13067
diff --git a/crates/wasmtime/src/runtime/vm/gc/enabled/drc.rs b/crates/wasmtime/src/runtime/vm/gc/enabled/drc.rs
@@ -238,7 +238,7 @@ impl DrcHeap {
     fn dealloc(&mut self, gc_ref: VMGcRef) {
         let drc_ref = drc_ref(&gc_ref);
         let size = self.index(drc_ref).object_size;
-        let alloc_size = FreeList::aligned_size(size);
+        let alloc_size = FreeList::aligned_size(size).unwrap();
         let index = gc_ref.as_heap_index().unwrap();
 
         // Poison the freed memory so that any stale access is detectable.
@@ -373,7 +373,7 @@ impl DrcHeap {
             }
 
             // Deallocate using the object_size we already read.
-            let alloc_size = FreeList::aligned_size(object_size);
+            let alloc_size = FreeList::aligned_size(object_size).unwrap();
             let index = gc_ref.as_heap_index().unwrap();
 
             if cfg!(gc_zeal) {
@@ -1007,7 +1007,8 @@ unsafe impl GcHeap for DrcHeap {
         }
 
         let object_size = u32::try_from(layout.size()).unwrap();
-        let alloc_size = FreeList::aligned_size(object_size);
+        let alloc_size = FreeList::aligned_size(object_size)
+            .ok_or_else(|| format_err!("allocation size too large"))?;
 
         let gc_ref = match self.free_list.as_mut().unwrap().alloc_fast(alloc_size) {
             None => return Ok(Err(u64::try_from(layout.size()).unwrap())),
diff --git a/crates/wasmtime/src/runtime/vm/gc/enabled/free_list.rs b/crates/wasmtime/src/runtime/vm/gc/enabled/free_list.rs
@@ -58,8 +58,8 @@ impl FreeList {
     /// Compute the aligned allocation size for a given byte size. Returns the
     /// size rounded up to this free list's alignment, as a u32.
     #[inline]
-    pub fn aligned_size(size: u32) -> u32 {
-        (size + ALIGN_U32 - 1) & !(ALIGN_U32 - 1)
+    pub fn aligned_size(size: u32) -> Option<u32> {
+        Some((size.checked_add(ALIGN_U32)? - 1) & !(ALIGN_U32 - 1))
     }
 
     /// Get the current total capacity this free list manages.
diff --git a/tests/misc_testsuite/gc/issue-13067.wast b/tests/misc_testsuite/gc/issue-13067.wast
@@ -0,0 +1,28 @@
+;;! gc = true
+;;! exceptions = true
+;;! simd = true
+
+(module
+  (type $a (array (mut i8)))
+  (global $g (mut anyref) (ref.null any))
+  (func (export "f") (param i32)
+    (global.set $g (array.new_default $a (i32.sub (i32.const -1) (local.get 0))))
+  )
+)
+
+;; Most of these will trap with either "allocation size too large" or "GC heap
+;; out of memory", but some may succeed. Any of those results is fine, which is
+;; why we do not `assert_return` or `assert_trap` here. What we mostly don't
+;; want is to e.g. hit any integer overflow assertions in our free lists or bump
+;; pointers.
+(invoke "f" (i32.const 0))
+(invoke "f" (i32.const 8))
+(invoke "f" (i32.const 16))
+(invoke "f" (i32.const 24))
+(invoke "f" (i32.const 32))
+(invoke "f" (i32.const 40))
+(invoke "f" (i32.const 48))
+(invoke "f" (i32.const 56))
+(invoke "f" (i32.const 64))
+(invoke "f" (i32.const 72))
+(invoke "f" (i32.const 80))
