WebAssembly Wabt Resource Consumption Vulnerability in Binary Reader Interpreter

A resource consumption vulnerability has been identified in WebAssembly Wabt versions through 1.0.37. The issue arises in the function 'OnDataCount' within 'src/interp/binary-reader-interp.cc', where improper management of data count leads to excessive memory allocation. This vulnerability requires local exploitation and can cause a denial-of-service condition by exhausting available system resources.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the application to run out of memory and potentially terminate prematurely.

Reproduction

The vulnerability can be reproduced by compiling Wabt with AddressSanitizer enabled, which helps detect memory allocation issues. After building Wabt with the appropriate flags, the 'read_binary_interp_fuzzer' can be created and executed using a crafted WebAssembly file that triggers the 'OnDataCount' function. This process involves downloading the fuzzing harness from the Wabt repository, compiling it with Clang, and then running it with a specific input file that causes the out-of-memory error.