Submit #719826: WebAssembly wabt 1.0.39 and master-branch Memory Corruptioninfo

TitleWebAssembly wabt 1.0.39 and master-branch Memory Corruption
Description### Description We encountered a Segmentation Fault (SEGV) vulnerability in the wasm-decompile tool of the WABT project. The crash occurs during the decompilation process when wabt::Decompiler::VarName attempts to access memory at an invalid address. This issue was reproduced in a Release build (with NDEBUG defined) using AddressSanitizer. The crash is caused by a READ memory access involving a high-value address, suggesting a potential out-of-bounds read or wild pointer dereference when processing variable names in a malformed WebAssembly binary. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. - Build Command: ``` make clang-release-asan CMAKE_FLAGS="-DCMAKE_BUILD_TYPE=Release -DUSE_ASAN=ON -DCMAKE_CXX_FLAGS_RELEASE=-DNDEBUG" ``` ### Vulnerability Details - Target: wasm-decompile - Crash Type: Segmentation Fault (SEGV) on unknown address - Faulting Instruction: READ memory access - Location: wabt::Decompiler::VarName (wasm-decompile+0x1c8398) - Root Cause Analysis: The ASan report shows SEGV on unknown address triggered by a dereference of a high-value address. The stack trace indicates the crash happens inside wabt::Decompiler::VarName, called by DecompileExpr. This suggests that the decompiler calculates an invalid memory address when resolving the name of a variable, leading to a crash. ### Reproduce ``` ./wasm-decompile ./repro ``` Download Link: [repro](https://github.com/oneafter/1208/blob/main/af1) ASAN report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==65957==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x560645fbc398 bp 0x7fff229f20b0 sp 0x7fff229f1ed0 T0) ==65957==The signal is caused by a READ memory access. ==65957==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. #0 0x560645fbc398 in wabt::Decompiler::VarName(std::basic_string_view<char, std::char_traits<char>>) (/src/repro/wabt/bin/wasm-decompile+0x1c8398) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) #1 0x560645fb013c in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) (/src/repro/wabt/bin/wasm-decompile+0x1bc13c) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) #2 0x560645fae006 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) (/src/repro/wabt/bin/wasm-decompile+0x1ba006) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) #3 0x560645fae006 in wabt::Decompiler::DecompileExpr(wabt::Node const&, wabt::Node const*) (/src/repro/wabt/bin/wasm-decompile+0x1ba006) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) #4 0x560645fa7938 in wabt::Decompiler::Decompile[abi:cxx11]() (/src/repro/wabt/bin/wasm-decompile+0x1b3938) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) #5 0x560645fa42a6 in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) (/src/repro/wabt/bin/wasm-decompile+0x1b02a6) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) #6 0x560645f40941 in ProgramMain(int, char**) (/src/repro/wabt/bin/wasm-decompile+0x14c941) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) #7 0x7fc57a0221c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #8 0x7fc57a02228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #9 0x560645e64584 in _start (/src/repro/wabt/bin/wasm-decompile+0x70584) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/src/repro/wabt/bin/wasm-decompile+0x1c8398) (BuildId: b44cadef6a2094e740cb6ce71ee9a45cfac22974) in wabt::Decompiler::VarName(std::basic_string_view<char, std::char_traits<char>>) ==65957==ABORTING ```
Source⚠️ https://github.com/WebAssembly/wabt/issues/2678
User
 Oneafter (UID 92781)
Submission12/19/2025 10:49 (4 months ago)
Moderation01/01/2026 10:19 (13 days later)
StatusAccepted
VulDB entry339333 [WebAssembly wabt up to 1.0.39 wasm-decompile VarName out-of-bounds]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!