kanaka / wac

WebAssembly interpreter in C
Other
472 stars 46 forks source link

wac crashes #6

Open ekse opened 6 years ago

ekse commented 6 years ago

Hi, I did a bit of fuzzing of and found issues that can make wac crash. I provide files to reproduce the issues.

Issue 1: NULL pointer dereference of function

Sample file: https://drive.google.com/open?id=1JnSjtTw6SeKQksgGa2NrzP_syM0bFG82

If a code section is parsed before imports, m->functions can be NULL and will later cause a null pointer dereference. For example:

Block *function = &m->functions[m->import_count+b];

Issue 2: Read out-of-bounds in read functions read_string(), read_LEB, read_uint32.

Sample file: https://drive.google.com/open?id=1yKmr0Om_Ypg1nnz8VPnp5LuQFic2WMLc

The read functions do not make sure that the file has as least the remaining amount of data they attempt to read. For example the read_string functions reads the length of a string in str_len and then memcpy's that length without checking that the remaining file size it at least that long.

char *read_string(uint8_t *bytes, uint32_t *pos, uint32_t *result_len) {
    uint32_t str_len = read_LEB(bytes, pos, 32);
    char * str = malloc(str_len+1);
    memcpy(str, bytes+*pos, str_len);

The read functions should take a bytes_len as a parameter and check the remaining size.