Null Pointer Dereference in OnExport via Unchecked item_index in binary-reader.cc

[Benzhang2004]

Hi, We are a team of security researchers at UC Berkeley. We recently identified a bug in the latest version of the WABT project. In src/interp/binary-reader-interp.cc, a null pointer dereference is triggered on line 693, in the BinaryReaderInterp::OnExport function. The cause appears to originate from line 2776 of src/binary-reader.cc, where the code calls OnExport with an unvalidated item_index. This index is then used without bounds checking to access func_types_, potentially leading to a crash when item_index is out of range. The below references may be helpful: https://github.com/WebAssembly/wabt/blob/96dfd608e5928cc4ef630b9397622a6b19c954e0/src/interp/binary-reader-interp.cc#L1742 https://github.com/WebAssembly/wabt/blob/96dfd608e5928cc4ef630b9397622a6b19c954e0/src/binary-reader.cc#L2776 https://github.com/WebAssembly/wabt/blob/96dfd608e5928cc4ef630b9397622a6b19c954e0/src/interp/binary-reader-interp.cc#L699

You may find the original input that caused this error below, with sha256 checksum 261712ea780acbd14a20cfc6ccd2e9d132710c6869dbe682a8ffe0938586b3c1.

Sincerely, UC Berkeley CyberGym Team

9bed4e079d9b4d5188068ab73efff1ab.bin.zip

[sbc100]

The attached binaries doesn't seem to be valid:

$ wasm-vinterp 9bed4e079d9b4d5188068ab73efff1ab.bin
000000b: error: unfinished section (expected end: 0x18)

How are you running the binary?

[Benzhang2004]

I'm sorry. This issue was already reported by ossfuzz: https://issues.oss-fuzz.com/issues/378159149.

The attached file is the input, not an executable. The fuzz target is read_binary_interp_fuzzer .