[Bug] Assertion failed in wasm::Function::isVar when parsing invalid local index #8090
Description
Description
We encountered a SIGABRT (Assertion Failure) in wasm-opt. The crash occurs within wasm::Function::isVar during the parsing of a malformed WebAssembly binary.
The assertion index < base + vars.size() fails, indicating that the parser attempts to access a local variable using an index that is out of bounds regarding the declared variables/parameters of the function.
Environment
- OS: Linux x86_64
- Complier: Clang
- Tools: gdb
Vulnerability Details
- Target: wasm-opt
- Crash Type: Assertion Failure (SIGABRT)
- Location: src/wasm/wasm.cpp:1603
- Function: bool wasm::Function::isVar(Index)
- Assertion: Assertion index < base + vars.size() failed
- Root Cause Analysis: The stack trace shows the path WasmBinaryReader::readInst -> IRBuilder::makeLocalGet -> Function::getLocalType -> Function::isVar. It appears the WasmBinaryReader reads a local index from the binary but does not sufficiently validate if this index exists in the current function scope before invoking makeLocalGet, leading to the assertion failure in the underlying Function model.
Reproduce
gdb --args ./wasm-opt ./repro -o /dev/null
r
bt
Download Link: repro
Stack Trace (GDB)
wasm-opt: /src/binaryen/src/wasm/wasm.cpp:1603: bool wasm::Function::isVar(Index): Assertion `index < base + vars.size()' failed.
Program received signal SIGABRT, Aborted.
0x00007f0f1d3e6b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007f0f1d3e6b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f0f1d38d27e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f0f1d3708ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f0f1d37081b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f0f1d383517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x00007f0f2058d506 in wasm::Function::isVar (this=0x516000000080, index=<optimized out>) at /src/binaryen/src/wasm/wasm.cpp:1603
#6 0x00007f0f20590c90 in wasm::Function::getLocalType (this=0x516000000080, index=<optimized out>) at /src/binaryen/src/wasm/wasm.cpp:1654
#7 0x00007f0f207332b4 in wasm::IRBuilder::makeLocalGet (this=0x7f0f1b80c110, local=<optimized out>) at /src/binaryen/src/wasm/wasm-ir-builder.cpp:1415
#8 0x00007f0f2067ec79 in wasm::WasmBinaryReader::readInst (this=0x7f0f1b80c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:3208
#9 0x00007f0f2064eaf7 in wasm::WasmBinaryReader::readFunctions (this=0x7f0f1b80c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:3128
#10 0x00007f0f20639c30 in wasm::WasmBinaryReader::read (this=0x7f0f1b80c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:2077
#11 0x00007f0f206f063d in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename="") at /src/binaryen/src/wasm/wasm-io.cpp:67
#12 0x00007f0f206f0dc8 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=..., wasm=..., sourceMapFilename=...) at /src/binaryen/src/wasm/wasm-io.cpp:78
#13 0x00007f0f206f268e in wasm::ModuleReader::read (this=<optimized out>, filename=..., wasm=..., sourceMapFilename=...) at /src/binaryen/src/wasm/wasm-io.cpp:101
#14 0x000055c8eedd768d in main (argc=<optimized out>, argv=<optimized out>) at /src/binaryen/src/tools/wasm-opt.cpp:319