From 63a5a22d68f8a52aff399e94141495369586c51c Mon Sep 17 00:00:00 2001
From: netliomax25-code <netliomax25@gmail.com>
Date: Mon, 8 Jun 2026 15:55:47 +0530
Subject: [PATCH] validate poll_oneoff in/out arrays against nsubscriptions

---
 core/iwasm/libraries/libc-uvwasi/libc_uvwasi_wrapper.c | 8 +++++---
 core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c     | 8 +++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/core/iwasm/libraries/libc-uvwasi/libc_uvwasi_wrapper.c b/core/iwasm/libraries/libc-uvwasi/libc_uvwasi_wrapper.c
index 35d091e78d..5e36160bb7 100644
--- a/core/iwasm/libraries/libc-uvwasi/libc_uvwasi_wrapper.c
+++ b/core/iwasm/libraries/libc-uvwasi/libc_uvwasi_wrapper.c
@@ -932,9 +932,11 @@ wasi_poll_oneoff(wasm_exec_env_t exec_env, const wasi_subscription_t *in,
     if (!uvwasi)
         return (wasi_errno_t)-1;
 
-    if (!validate_native_addr((void *)in, (uint64)sizeof(wasi_subscription_t))
-        || !validate_native_addr(out, (uint64)sizeof(wasi_event_t))
-        || !validate_native_addr(nevents_app, (uint64)sizeof(uint32)))
+    if (!validate_native_addr(nevents_app, (uint64)sizeof(uint32))
+        || !validate_native_addr((void *)in, (uint64)sizeof(wasi_subscription_t)
+                                                 * nsubscriptions)
+        || !validate_native_addr(out,
+                                 (uint64)sizeof(wasi_event_t) * nsubscriptions))
         return (wasi_errno_t)-1;
 
     err = uvwasi_poll_oneoff(uvwasi, in, out, nsubscriptions, &nevents);
diff --git a/core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c b/core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c
index 5ab189e71d..5326820cd3 100644
--- a/core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c
+++ b/core/iwasm/libraries/libc-wasi/libc_wasi_wrapper.c
@@ -1098,9 +1098,11 @@ wasi_poll_oneoff(wasm_exec_env_t exec_env, const wasi_subscription_t *in,
     if (!wasi_ctx)
         return (wasi_errno_t)-1;
 
-    if (!validate_native_addr((void *)in, (uint64)sizeof(wasi_subscription_t))
-        || !validate_native_addr(out, (uint64)sizeof(wasi_event_t))
-        || !validate_native_addr(nevents_app, (uint64)sizeof(uint32)))
+    if (!validate_native_addr(nevents_app, (uint64)sizeof(uint32))
+        || !validate_native_addr((void *)in, (uint64)sizeof(wasi_subscription_t)
+                                                 * nsubscriptions)
+        || !validate_native_addr(out,
+                                 (uint64)sizeof(wasi_event_t) * nsubscriptions))
         return (wasi_errno_t)-1;
 
 #if WASM_ENABLE_THREAD_MGR == 0