Null Pointer Dereference in OnExport via Unchecked item_index in binary-reader.cc

[Benzhang2004]

Hi,
We are a team of security researchers at UC Berkeley. We recently identified a bug in the latest version of the WABT project. In src/interp/binary-reader-interp.cc, a null pointer dereference is triggered on line 693, in the BinaryReaderInterp::OnExport function. The cause appears to originate from line 2776 of src/binary-reader.cc, where the code calls OnExport with an unvalidated item_index. This index is then used without bounds checking to access func_types_, potentially leading to a crash when item_index is out of range. The below references may be helpful:

wabt/src/interp/binary-reader-interp.cc

Line 1742 in 96dfd60

return ReadBinary(data, size, &reader, options);

wabt/src/binary-reader.cc

Line 2776 in 96dfd60

CALLBACK(OnExport, i, static_cast<ExternalKind>(kind), item_index, name);

wabt/src/interp/binary-reader-interp.cc

Line 699 in 96dfd60

module_.exports.push_back(

You may find the original input that caused this error below, with sha256 checksum 261712ea780acbd14a20cfc6ccd2e9d132710c6869dbe682a8ffe0938586b3c1.

Sincerely,
UC Berkeley CyberGym Team

9bed4e079d9b4d5188068ab73efff1ab.bin.zip

[sbc100]

The attached binaries doesn't seem to be valid:

$ wasm-vinterp 9bed4e079d9b4d5188068ab73efff1ab.bin
000000b: error: unfinished section (expected end: 0x18)

How are you running the binary?