Summary

An out-of-bounds array access issue exists in WAMR's fast interpreter mode during WASM bytecode loading. When frame_ref_bottom and frame_offset_bottom arrays are at capacity and a GET_GLOBAL(I32) opcode is encountered, frame_ref_bottom is expanded but frame_offset_bottom may not be. If this is immediately followed by an if opcode that triggers preserve_local_for_block, the function traverses arrays using stack_cell_num as the upper bound, causing out-of-bounds access to frame_offset_bottom since it wasn't expanded to match the increased stack_cell_num.

Details

1. Problematic Sequence
   When GET_GLOBAL(I32) is processed, increases stack_cell_num by 1 and may expand frame_ref_bottom array, For I32 (32-bit type), it may early return without additional expansion checks. If frame_offset_bottom is not at boundary yet, no expansion occurs despite stack_cell_num being increased

2. Out-of-Bounds Access
   When if opcode is encountered next, it calls PRESERVE_LOCAL_FOR_BLOCK, which iterates through stack_cell_num for frame_offset_bottom which may be out of bounds.

PoC

To reproduce the vulnerability:

1. Enable fast interpreter mode
2. Load a WASM module with a function containing:
   • Multiple operations that fill frame_ref and frame_offset arrays close to capacity
   • A GET_GLOBAL opcode accessing an I32 global variable (when arrays are at/near capacity)
   • Immediately followed by an IF opcode

Impact