[BUG] A SEGV in `wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnExport(unsigned int, wabt::ExternalKind, unsigned int, std::__1::basic_string_view<char, std::__1::char_traits<char> >)` at `src/interp/binary-reader-interp.cc:693:63`

[JJLeo]

Description

• Version: Commit a60eb26
• Environment:Ubuntu 20.04.6 LTS, Clang 18.1.8

Steps to reproduce

export CC="clang"
export CXX="clang++"
export CFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export CXXFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer -stdlib=libc++"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"

mkdir build
cd build
cmake ..  -DBUILD_TESTS=OFF
cmake --build . --parallel
cd ..

wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/wabt/read_binary_interp_fuzzer.cc
$CXX $CXXFLAGS -std=c++17 -I. -Ibuild -Iinclude -Ibuild/include \
  ./src/read_binary_interp_fuzzer.cc $LIB_FUZZING_ENGINE ./build/libwabt.a \
  -o ./read_binary_interp_fuzzer
wget https://github.com/user-attachments/files/19825111/wabt_crash_3.txt
./read_binary_interp_fuzzer wasm_crash_3.txt

Sanitizer output

==18==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x00000046d27e bp 0x7ffcd7194df0 sp 0x7ffcd71947e0 T0)
==18==The signal is caused by a READ memory access.
==18==Hint: address points to the zero page.
    #0 0x46d27e in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnExport(unsigned int, wabt::ExternalKind, unsigned int, std::__1::basic_string_view<char, std::__1::char_traits<char> >) /src/wabt/src/interp/binary-reader-interp.cc:693:63
    #1 0x8d44eb in wabt::(anonymous namespace)::BinaryReader::ReadExportSection(unsigned long) /src/wabt/src/binary-reader.cc:2778:5
    #2 0x8d44eb in wabt::(anonymous namespace)::BinaryReader::ReadSections(wabt::(anonymous namespace)::BinaryReader::ReadSectionsOptions const&) /src/wabt/src/binary-reader.cc:3033:26
    #3 0x8bb810 in wabt::(anonymous namespace)::BinaryReader::ReadModule(wabt::(anonymous namespace)::BinaryReader::ReadModuleOptions const&) /src/wabt/src/binary-reader.cc:3119:3
    #4 0x8bb810 in wabt::ReadBinary(void const*, unsigned long, wabt::BinaryReaderDelegate*, wabt::ReadBinaryOptions const&) /src/wabt/src/binary-reader.cc:3141:17
    #5 0x523f97 in wabt::interp::ReadBinaryInterp(std::__1::basic_string_view<char, std::__1::char_traits<char> >, void const*, unsigned long, wabt::ReadBinaryOptions const&, std::__1::vector<wabt::Error, std::__1::allocator<wabt::Error> >*, wabt::interp::ModuleDesc*) /src/wabt/src/interp/binary-reader-interp.cc:1742:10
    #6 0x40f28f in LLVMFuzzerTestOneInput /src/read_binary_interp_fuzzer.cc:39:3
    #7 0xadd54a in main (/out/read_binary_interp_fuzzer.fuzz+0xadd54a)
    #8 0x7729a5b3b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #9 0x40980d in _start (/out/read_binary_interp_fuzzer.fuzz+0x40980d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/wabt/src/interp/binary-reader-interp.cc:693:63 in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnExport(unsigned int, wabt::ExternalKind, unsigned int, std::__1::basic_string_view<char, std::__1::char_traits<char> >)
==18==ABORTING

POC

wabt_crash_3.txt

Credit

Reported by Yifan Zhang, PLL