Wren Language Out-of-Bounds Read Vulnerability in Source File Parser

A heap-based buffer overflow vulnerability has been identified in the Wren programming language, specifically in versions up to 0.4.0. The issue arises in the source file parser within the function 'peekChar', located in 'src/vm/wren_compiler.c'. This vulnerability allows for an out-of-bounds read, where the parser fails to correctly handle malformed string literals, particularly those with excessive quotes. As a result, the lexer reads beyond the allocated buffer, leading to a memory violation. The vulnerability can be exploited locally, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by building Wren with release optimization and AddressSanitizer (ASan) enabled. After compiling the language, the 'peekChar' function can be targeted by parsing a source file that contains a malformed sequence of quotes, which triggers the raw string parsing mechanism. This can be done using a simple C program that loads the malformed string into the Wren VM, where the AddressSanitizer will report the out-of-bounds read error.