Wren Language Uncontrolled Recursion Vulnerability in Compiler Function

A heap-buffer-underflow vulnerability leading to stack exhaustion has been identified in the Wren programming language, specifically in versions up to 0.4.0. The issue arises in the 'resolveLocal' function within 'src/vm/wren_compiler.c', where the compiler fails to control recursion properly. This flaw allows for excessive nesting of code blocks, causing the parser to enter a deep recursive state—over 300 frames deep—which can corrupt memory or miscalculate pointers when accessing local variables. As a result, the 'bcmp' function reads memory 766 bytes before the allocated buffer, creating a potential exploitation vector.

Impact

Exploitation of this vulnerability causes a heap-buffer-underflow, leading to memory corruption and a stack exhaustion from uncontrolled recursion, which can be exploited to read memory out of bounds.

Reproduction

The vulnerability can be reproduced by building Wren with release optimizations and AddressSanitizer (ASan) enabled. After compiling the Wren interpreter, it can be run with a proof-of-concept file that triggers the deep recursion in the 'resolveLocal' function. The ASan report will indicate the heap-buffer-overflow error, confirming the vulnerability.