From 56614c1d02f50821426fa542e8eb5abcc3f4d1de Mon Sep 17 00:00:00 2001
From: Yi LIU <yi@quantstamp.com>
Date: Wed, 25 Feb 2026 21:48:29 +0800
Subject: [PATCH 1/2] [C API] Add null check in BinaryenTableGrow for missing
 table

BinaryenTableGrow has a convenience path where passing value=nullptr
auto-creates a ref.null of the table's element type. However, it calls
getTableOrNull(name) and immediately dereferences the result without
checking for null. If the table name doesn't exist in the module, this
causes a null pointer dereference.

Add a null check after getTableOrNull so that if the table doesn't
exist, value remains nullptr and downstream code handles the error.
---
 src/binaryen-c.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/binaryen-c.cpp b/src/binaryen-c.cpp
index a68e3b3f1dc..f73e35ae436 100644
--- a/src/binaryen-c.cpp
+++ b/src/binaryen-c.cpp
@@ -1685,8 +1685,10 @@ BinaryenExpressionRef BinaryenTableGrow(BinaryenModuleRef module,
                                         BinaryenExpressionRef value,
                                         BinaryenExpressionRef delta) {
   if (value == nullptr) {
-    auto tableType = (*(Module*)module).getTableOrNull(name)->type;
-    value = BinaryenRefNull(module, (BinaryenType)tableType.getID());
+    auto* table = (*(Module*)module).getTableOrNull(name);
+    if (table) {
+      value = BinaryenRefNull(module, (BinaryenType)table->type.getID());
+    }
   }
   return static_cast<Expression*>(
     Builder(*(Module*)module)

From d93df249a57651f31ff53c3bf4c355e808532005 Mon Sep 17 00:00:00 2001
From: Yi LIU <yi@quantstamp.com>
Date: Thu, 26 Feb 2026 09:38:19 +0800
Subject: [PATCH 2/2] [C API] Use Fatal() for missing table in
 BinaryenTableGrow

---
 src/binaryen-c.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/binaryen-c.cpp b/src/binaryen-c.cpp
index f73e35ae436..2a3b6afc397 100644
--- a/src/binaryen-c.cpp
+++ b/src/binaryen-c.cpp
@@ -1686,9 +1686,10 @@ BinaryenExpressionRef BinaryenTableGrow(BinaryenModuleRef module,
                                         BinaryenExpressionRef delta) {
   if (value == nullptr) {
     auto* table = (*(Module*)module).getTableOrNull(name);
-    if (table) {
-      value = BinaryenRefNull(module, (BinaryenType)table->type.getID());
+    if (!table) {
+      Fatal() << "invalid table '" << name << "'.";
     }
+    value = BinaryenRefNull(module, (BinaryenType)table->type.getID());
   }
   return static_cast<Expression*>(
     Builder(*(Module*)module)