[BUG] An out-of-memory in `wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnDataCount(unsigned int)` at `src/interp/binary-reader-interp.cc:772:17`

[JJLeo]

Description

• Version: Commit a60eb26
• Environment:Ubuntu 20.04.6 LTS, Clang 18.1.8
• Fuzzing harness: https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/wabt/read_binary_interp_fuzzer.cc

Please let me know if you encounter any issues reproducing it — I can upload a Docker image to help.

Steps to reproduce

export CC="clang"
export CXX="clang++"
export CFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export CXXFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer -stdlib=libc++"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"

mkdir build
cd build
cmake ..  -DBUILD_TESTS=OFF
cmake --build . --parallel
cd ..

wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/wabt/read_binary_interp_fuzzer.cc
$CXX $CXXFLAGS -std=c++17 -I. -Ibuild -Iinclude -Ibuild/include \
  ./src/read_binary_interp_fuzzer.cc $LIB_FUZZING_ENGINE ./build/libwabt.a \
  -o ./read_binary_interp_fuzzer
wget https://github.com/user-attachments/files/20191325/wabt_crash_4.txt
./read_binary_interp_fuzzer wasm_crash_4.txt

Sanitizer output

==46466==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7a9a346848 bytes
    #0 0xb4de7d in malloc (/out/read_binary_interp_fuzzer.fuzz+0xb4de7d)
    #1 0x7fa3bfa02b28 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xaab28)
    #2 0x4d82c8 in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnDataCount(unsigned int) /src/wabt/src/interp/binary-reader-interp.cc:772:17
    #3 0x8e2a92 in wabt::(anonymous namespace)::BinaryReader::ReadDataCountSection(unsigned long) /src/wabt/src/binary-reader.cc:2940:3
    #4 0x8e2a92 in wabt::(anonymous namespace)::BinaryReader::ReadSections(wabt::(anonymous namespace)::BinaryReader::ReadSectionsOptions const&) /src/wabt/src/binary-reader.cc:3063:26
    #5 0x8bb810 in wabt::(anonymous namespace)::BinaryReader::ReadModule(wabt::(anonymous namespace)::BinaryReader::ReadModuleOptions const&) /src/wabt/src/binary-reader.cc:3119:3
    #6 0x8bb810 in wabt::ReadBinary(void const*, unsigned long, wabt::BinaryReaderDelegate*, wabt::ReadBinaryOptions const&) /src/wabt/src/binary-reader.cc:3141:17
    #7 0x523f97 in wabt::interp::ReadBinaryInterp(std::__1::basic_string_view<char, std::__1::char_traits<char> >, void const*, unsigned long, wabt::ReadBinaryOptions const&, std::__1::vector<wabt::Error, std::__1::allocator<wabt::Error> >*, wabt::interp::ModuleDesc*) /src/wabt/src/interp/binary-reader-interp.cc:1742:10
    #8 0x40f28f in LLVMFuzzerTestOneInput /src/read_binary_interp_fuzzer.cc:39:3
    #9 0xadd54a in main (/out/read_binary_interp_fuzzer.fuzz+0xadd54a)

==46466==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory (/out/read_binary_interp_fuzzer.fuzz+0xb4de7d) in malloc
==46466==ABORTING

POC

wabt_crash_4.txt

Credit

Reported by Yifan Zhang, PLL