WASMParser reads ahead causing issues when unexpected code is encountered

[matetokodi]

Found while running dhrystone (from https://github.com/bytecodealliance/wasm-micro-runtime/tree/main/tests/benchmarks/dhrystone) compiled with emcc with -O0

When readAheadLocalGetIfExists reads ahead in computeExprResultPosition it can encounter unknown / unsupported bytecodes; 0x1f in this specific case.

When it looks for a local.set code ahead, and finds one, it uses this data to index into a vector (m_localInfo) that is empty, causing a Segmentation Fault.

Surrounding bytes when inspected when stopped with the debugger (using lookaheadUnsigned8()):

0x05 else
0x20 local.get
0x1f (reserved / try_table?)
0x21 local.set   <====
0x3b i32.store16
0x3c i64.store8

However I was not able to find this byte sequence when I disassembled the .wasm file with wasm-objdump.

This is a functional but inelegant workaround that eliminated the crash:

--- a/src/parser/WASMParser.cpp
+++ b/src/parser/WASMParser.cpp
@@ -665,7 +665,9 @@ private:
     std::pair<Walrus::Optional<uint32_t>, size_t> readAheadLocalGetIfExists() // return localIndex and code length if exists
     {
         Walrus::Optional<uint8_t> mayLoadGetCode = lookaheadUnsigned8();
-        if (mayLoadGetCode.hasValue() && mayLoadGetCode.value() == 0x21) {
+        Walrus::Optional<uint8_t> mayLoadGetCodePrev = lookaheadUnsigned8(-1);
+        if (mayLoadGetCode.hasValue() && mayLoadGetCode.value() == 0x21 &&
+            !(mayLoadGetCodePrev.hasValue() && mayLoadGetCodePrev.value() == 0x1f)) {
             auto r = lookaheadUnsigned32(1);
             if (r.first) {
                 return std::make_pair(r.first, r.second + 1);

dhrystone_emcc_O0.zip

[zherczeg]

The problem is, it uses an unsupported byte code, called try_table. The wabt will catch this, but the byte prescanning (readAheadLocalGetIfExists) happens too early.