wabt
wabt copied to clipboard
WebAssembly
[Bug] Assertion failed end >= start in wabt::AST::Construct
Description
We encountered a SIGABRT (Assertion Failure) in wasm-decompile. The crash occurs within wabt::AST::Construct when attempting to decompile a malformed WebAssembly binary.
The assertion end >= start fails, indicating an invalid range calculation where the end index is less than the start index. This likely happens when the decompiler attempts to define the boundaries of a block or expression sequence but miscalculates the offsets, leading to an impossible range.
Environment
- OS: Linux x86_64
- Complier: Clang
- Tools: gdb
Vulnerability Details
- Target: wasm-decompile
- Crash Type: Assertion Failure (SIGABRT)
- Location:include/wabt/decompiler-ast.h:352
- Function: void wabt::AST::Construct(const ExprList&, Index, Index, bool)
- Assertion: Assertion end >= start failed
- Root Cause Analysis: The stack trace shows recursive calls to AST::Construct. The function signature involves Index start and Index end. The assertion ensures that the range [start, end) is valid. A failure here implies that end < start, which could be caused by: (1) Integer overflow/underflow when calculating the end index. (2)Logic errors when handling empty blocks or malformed control flow structures where the "end" of the block is determined to be before its "start".
Reproduce
gdb --args ./wasm-decompile ./repro
r
bt
Download Link: repro
Stack Trace (GDB)
wasm-decompile: /src/wabt/include/wabt/decompiler-ast.h:352: void wabt::AST::Construct(const ExprList &, Index, Index, bool): Assertion `end >= start' failed.
Program received signal SIGABRT, Aborted.
0x00007fc3ee1bab2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007fc3ee1bab2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007fc3ee16127e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007fc3ee1448ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007fc3ee14481b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007fc3ee157517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x0000558e52f6f013 in wabt::AST::Construct (this=0x7fc3ec901460, es=...,
nresults=<optimized out>, nparams=<optimized out>,
is_function_body=<optimized out>)
at /src/wabt/include/wabt/decompiler-ast.h:352
#6 0x0000558e52f7cb6f in wabt::AST::Construct (
this=this@entry=0x7fc3ec901460, e=...)
at /src/wabt/include/wabt/decompiler-ast.h:199
#7 0x0000558e52f6d08f in wabt::AST::Construct (this=0x7fc3ec901460, es=...,
nresults=<optimized out>, nparams=<optimized out>,
is_function_body=<optimized out>)
at /src/wabt/include/wabt/decompiler-ast.h:253
#8 0x0000558e52f63eba in wabt::Decompiler::Decompile[abi:cxx11]() (
this=<optimized out>) at /src/wabt/src/decompiler.cc:802
#9 0x0000558e52f601f5 in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) (module=..., options=...)
at /src/wabt/src/decompiler.cc:861
#10 0x0000558e52eaf47e in ProgramMain (argc=<optimized out>,
argv=<optimized out>) at /src/wabt/src/tools/wasm-decompile.cc:103
--Type <RET> for more, q to quit, c to continue without paging--
#11 0x00007fc3ee1461ca in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#12 0x00007fc3ee14628b in __libc_start_main ()
from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000558e52dca645 in _start ()
wasm-decompile doesn't currently have a maintainer, or anyone who works on it. If you would like to send PR please do.
