[crash/fuzzing] "index out of bounds" in wain validate #39

pventuzelo · 2020-07-07T20:42:21Z

Hey,

My fuzzer just triggered this panic index out of bounds error.

Crash:

$ ./target/debug/wain index_oob_wain.wasm 
thread 'main' panicked at 'index out of bounds: the len is 4 but the index is 93', /home/scop/Documents/wain/wain-validate/src/insn.rs:391:28
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Download:
index_oob_wain.zip

Bug is happening here:

wain/wain-validate/src/insn.rs

Lines 390 to 392 in 27f9ef4

    
           // func.idx was already validated 
        
           let fty = &ctx.outer.module.types[func.idx as usize]; 
        
           // Pop extracts parameters in reverse order

The text was updated successfully, but these errors were encountered:

rhysd · 2020-07-08T01:45:59Z

Thank you for catching this. I'll look into.

rhysd · 2020-07-08T13:20:16Z

This issue was fixed at 08527f5. Now it raises validation error as follows:

Error on validation: type index 93 out of bounds 0 <= idx < 4. error while validating callee at call instruction.  caused at byte offset 562

 ... 34 36 37 34 34 30 37 33 37 30 39 35 35 31 36 31 35 01 2b 26 3c 30 81 90 9b
     ^
     starts from here

rhysd added the bug Something isn't working label Jul 8, 2020

rhysd closed this as completed in 08527f5 Jul 8, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[crash/fuzzing] "index out of bounds" in wain validate #39

[crash/fuzzing] "index out of bounds" in wain validate #39

pventuzelo commented Jul 7, 2020

rhysd commented Jul 8, 2020

rhysd commented Jul 8, 2020

[crash/fuzzing] "index out of bounds" in wain validate #39

[crash/fuzzing] "index out of bounds" in wain validate #39

Comments

pventuzelo commented Jul 7, 2020

rhysd commented Jul 8, 2020

rhysd commented Jul 8, 2020