From 194d28288fa5998cefb8b1687e889c062b84aa1c Mon Sep 17 00:00:00 2001
From: Stephen Berard <stephen.berard@outlook.com>
Date: Thu, 2 Apr 2026 13:53:33 +0200
Subject: [PATCH] security(gc): fixed length handling in `array.new`

Signed-off-by: Stephen Berard <stephen.berard@outlook.com>
---
 core/iwasm/interpreter/wasm_loader.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
index a2c67bea2c..0b10cd4bd8 100644
--- a/core/iwasm/interpreter/wasm_loader.c
+++ b/core/iwasm/interpreter/wasm_loader.c
@@ -1330,7 +1330,8 @@ load_init_expr(WASMModule *module, const uint8 **p_buf, const uint8 *buf_end,
 
                                 size =
                                     sizeof(WASMArrayNewInitValues)
-                                    + sizeof(WASMValue) * (uint64)len_val.i32;
+                                    + sizeof(WASMValue)
+                                          * (uint64)(uint32)len_val.i32;
                                 if (!(array_init_values = loader_malloc(
                                           size, error_buf, error_buf_size))) {
                                     goto fail;
@@ -1406,7 +1407,7 @@ load_init_expr(WASMModule *module, const uint8 **p_buf, const uint8 *buf_end,
                                     error_buf, error_buf_size)) {
                                 goto fail;
                             }
-                            len = len_val.i32;
+                            len = (uint32)len_val.i32;
 
                             cur_value.array_new_default.type_index = type_idx;
                             cur_value.array_new_default.length = len;