Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wac crashes #6

Open
ekse opened this issue Jan 22, 2018 · 0 comments
Open

wac crashes #6

ekse opened this issue Jan 22, 2018 · 0 comments

Comments

@ekse
Copy link

ekse commented Jan 22, 2018

Hi, I did a bit of fuzzing of and found issues that can make wac crash. I provide files to reproduce the issues.

Issue 1: NULL pointer dereference of function

Sample file: https://drive.google.com/open?id=1JnSjtTw6SeKQksgGa2NrzP_syM0bFG82

If a code section is parsed before imports, m->functions can be NULL and will later cause a null pointer dereference. For example:

Block *function = &m->functions[m->import_count+b];

Issue 2: Read out-of-bounds in read functions read_string(), read_LEB, read_uint32.

Sample file: https://drive.google.com/open?id=1yKmr0Om_Ypg1nnz8VPnp5LuQFic2WMLc

The read functions do not make sure that the file has as least the remaining amount of data they attempt to read. For example the read_string functions reads the length of a string in str_len and then memcpy's that length without checking that the remaining file size it at least that long.

char *read_string(uint8_t *bytes, uint32_t *pos, uint32_t *result_len) {
    uint32_t str_len = read_LEB(bytes, pos, 32);
    char * str = malloc(str_len+1);
    memcpy(str, bytes+*pos, str_len);

The read functions should take a bytes_len as a parameter and check the remaining size.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ekse