Headline
CVE-2023-31669: '@' before a quote (") causes a libc++abi.dylib crash using wat2wasm. · Issue #2165 · WebAssembly/wabt
WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++abi.dylib crash by putting ‘@’ before a quote (").
Comments
keithw added a commit that referenced this issue
Mar 10, 2023
This adds a bounds-check to WastLexer::GetText to handle the case when the offset is earlier than token_start (e.g. because GetStringToken found a newline in the string and reset token_start to point to it).
Also revises GetIdToken -> GetIdChars to stop skipping the initial char in an annotation delimiter, which is an idchar+ but not an id token.
Also fixes the WastParser to handle EOF when reading for the end of an annotation, both for code metadata annotation and other kinds. Previously this produced an infinite loop (but only when –enable-annotations was provided).
Fixes #2165
keithw added a commit that referenced this issue
Mar 10, 2023
This adds a bounds-check to WastLexer::GetText to handle the case when the offset is earlier than token_start (e.g. because GetStringToken found a newline in the string and reset token_start to point at it).
Also revises GetIdToken -> GetIdChars to stop skipping the initial char in an annotation delimiter, which is an idchar+ but not an id token.
Also fixes the WastParser to handle EOF when reading for the end of an annotation, both for code metadata annotations and other kinds. Previously this produced an infinite loop (but only with –enable-annotations).
Fixes #2165
keithw added a commit that referenced this issue
Mar 10, 2023
This adds a bounds-check to WastLexer::GetText to handle the case when the offset is earlier than token_start (e.g. because GetStringToken found a newline in the string and reset token_start to point at it).
Also revises GetIdToken -> GetIdChars to stop skipping the initial char in an annotation delimiter, which is an idchar+ but not an id token.
Also fixes the WastParser to handle EOF when reading for the end of an annotation, both for code metadata annotations and other kinds. Previously this produced an infinite loop (but only with –enable-annotations).
Fixes #2165