The read functions do not make sure that the file has as least the remaining amount of data they attempt to read. For example the read_string functions reads the length of a string in str_len and then memcpy's that length without checking that the remaining file size it at least that long.
Hi, I did a bit of fuzzing of and found issues that can make wac crash. I provide files to reproduce the issues.
Issue 1: NULL pointer dereference of function
Sample file: https://drive.google.com/open?id=1JnSjtTw6SeKQksgGa2NrzP_syM0bFG82
If a code section is parsed before imports, m->functions can be NULL and will later cause a null pointer dereference. For example:
Issue 2: Read out-of-bounds in read functions read_string(), read_LEB, read_uint32.
Sample file: https://drive.google.com/open?id=1yKmr0Om_Ypg1nnz8VPnp5LuQFic2WMLc
The read functions do not make sure that the file has as least the remaining amount of data they attempt to read. For example the read_string functions reads the length of a string in
str_len
and then memcpy's that length without checking that the remaining file size it at least that long.The read functions should take a
bytes_len
as a parameter and check the remaining size.