From 0c10c84436973899b87d3e83af4732292699de6e Mon Sep 17 00:00:00 2001
From: Yi LIU <yi@quantstamp.com>
Date: Wed, 25 Feb 2026 23:03:59 +0800
Subject: [PATCH 1/2] Fix off-by-one in aot_alloc_tiny_frame overflow check

The boundary check in aot_alloc_tiny_frame only verifies that
new_frame itself doesn't exceed top_boundary, but doesn't account
for the sizeof(AOTTinyFrame) bytes that are about to be written.
When new_frame equals top_boundary exactly, the check passes but
the subsequent write to new_frame->func_index goes past the
boundary. This matches the correct pattern used in
aot_alloc_frame (line 4086) which includes the frame size.
---
 core/iwasm/aot/aot_runtime.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/iwasm/aot/aot_runtime.c b/core/iwasm/aot/aot_runtime.c
index 5ed7fc8afb..ba88487fac 100644
--- a/core/iwasm/aot/aot_runtime.c
+++ b/core/iwasm/aot/aot_runtime.c
@@ -4176,7 +4176,7 @@ aot_alloc_tiny_frame(WASMExecEnv *exec_env, uint32 func_index)
 {
     AOTTinyFrame *new_frame = (AOTTinyFrame *)exec_env->wasm_stack.top;
 
-    if ((uint8 *)new_frame > exec_env->wasm_stack.top_boundary) {
+    if ((uint8 *)new_frame + sizeof(AOTTinyFrame) > exec_env->wasm_stack.top_boundary) {
         aot_set_exception((WASMModuleInstance *)exec_env->module_inst,
                           "wasm operand stack overflow");
         return false;

From 147292babd34c2a3621c4f1471082aa08a287f5b Mon Sep 17 00:00:00 2001
From: Yi LIU <yi@quantstamp.com>
Date: Thu, 26 Feb 2026 09:33:35 +0800
Subject: [PATCH 2/2] Fix line length to comply with coding guidelines

Break the overflow check condition across two lines to stay within the
80-column limit enforced by clang-format.
---
 core/iwasm/aot/aot_runtime.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/iwasm/aot/aot_runtime.c b/core/iwasm/aot/aot_runtime.c
index ba88487fac..cfe13149e8 100644
--- a/core/iwasm/aot/aot_runtime.c
+++ b/core/iwasm/aot/aot_runtime.c
@@ -4176,7 +4176,8 @@ aot_alloc_tiny_frame(WASMExecEnv *exec_env, uint32 func_index)
 {
     AOTTinyFrame *new_frame = (AOTTinyFrame *)exec_env->wasm_stack.top;
 
-    if ((uint8 *)new_frame + sizeof(AOTTinyFrame) > exec_env->wasm_stack.top_boundary) {
+    if ((uint8 *)new_frame + sizeof(AOTTinyFrame)
+        > exec_env->wasm_stack.top_boundary) {
         aot_set_exception((WASMModuleInstance *)exec_env->module_inst,
                           "wasm operand stack overflow");
         return false;