possible segfault read in wasm::WATParser::Lexer::position #6671
Description
Hi,
I was using AFL++ on Binaryen and noticed some generated files will cause Segment fault for wasm-opt with flag -O3. I hope gdb and valgrind output will help since the input file was generated by AFL++ and was not validated.
Reproduce
input file: wasm_segFault.zip
command: bin/wasm-opt -O3 segFault.wasm
GDB
Starting program: /home/usan/meas/aflver/binaryen/bin/wasm-opt -O3 afl/opt_out_pp/default/crashes/segFault.wasm
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78906a8 in wasm::WATParser::Lexer::position (this=<optimized out>, c=<optimized out>)
at /home/usan/meas/aflver/binaryen/src/parser/lexer.cpp:1144
1144 if (*p == '\n') {
(gdb) bt
#0 0x00007ffff78906a8 in wasm::WATParser::Lexer::position (this=<optimized out>, c=<optimized out>)
at /home/usan/meas/aflver/binaryen/src/parser/lexer.cpp:1144
#1 0x00007ffff787f74a in wasm::WATParser::Lexer::position (this=0x7fffffffb7b0, i=<optimized out>)
at /home/usan/meas/aflver/binaryen/src/parser/lexer.h:163
#2 wasm::WATParser::Lexer::err (this=this@entry=0x7fffffffb7b0, pos=pos@entry=8463800222054970741,
reason="unrecognized instruction") at /home/usan/meas/aflver/binaryen/src/parser/lexer.h:171
#3 0x00007ffff79387e9 in wasm::WATParser::plaininstr<wasm::WATParser::NullCtx> (ctx=...,
annotations=...) at /home/usan/meas/aflver/binaryen/src/gen-s-parser.inc:8613
#4 0x7575757575757575 in ?? ()
#5 0x7575757575757575 in ?? ()
#6 0x7575757575757575 in ?? ()
#7 0x7575757575757575 in ?? ()
#8 0x7575757575757575 in ?? ()
#9 0x7575757575757575 in ?? ()
#10 0x7575757575757575 in ?? ()
#11 0x7575757575757575 in ?? ()
#12 0x7575757575757575 in ?? ()
#13 0x7575757575757575 in ?? ()
#14 0x7575756575757575 in ?? ()
#15 0x7575757575757575 in ?? ()
#16 0x7575757575757575 in ?? ()
#17 0x7575757575757575 in ?? ()
#18 0x7575757575757575 in ?? ()
#19 0x7575757575757575 in ?? ()
#20 0x7575757575757575 in ?? ()
#21 0x7575757575757575 in ?? ()
#22 0x7575757575757575 in ?? ()
#23 0x7575757575757575 in ?? ()
#24 0x7575757575757575 in ?? ()
#25 0x7575757575757575 in ?? ()
#26 0x7575757575757575 in ?? ()
#27 0x7575757575757575 in ?? ()
#28 0x7575757575757575 in ?? ()
#29 0x7575757575757575 in ?? ()
#30 0x7575757575757575 in ?? ()
#31 0x7575757575757575 in ?? ()
#32 0x7575757575757575 in ?? ()
--Type <RET> for more, q to quit, c to continue without paging--
Valgrind
==13857== Invalid read of size 1
==13857== at 0x5BB96A8: wasm::WATParser::Lexer::position(char const*) const (in /home/usan/meas/aflver/binaryen/lib/libbinaryen.so)
==13857== by 0x5BA8749: wasm::WATParser::Lexer::err(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) (in /home/usan/meas/aflver/binaryen/lib/libbinaryen.so)
==13857== by 0x5C617E8: wasm::MaybeResult<wasm::Ok> wasm::WATParser::plaininstr<wasm::WATParser::NullCtx>(wasm::WATParser::NullCtx&, std::vector<wasm::WATParser::Annotation, std::allocator<wasm::WATParser::Annotation> > const&) (in /home/usan/meas/aflver/binaryen/lib/libbinaryen.so)
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== Address 0x7575757575757575 is not stack'd, malloc'd or (recently) free'd
==13857==
==13857==
==13857== Process terminating with default action of signal 11 (SIGSEGV)
==13857== General Protection Fault
==13857== at 0x5BB96A8: wasm::WATParser::Lexer::position(char const*) const (in /home/usan/meas/aflver/binaryen/lib/libbinaryen.so)
==13857== by 0x5BA8749: wasm::WATParser::Lexer::err(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) (in /home/usan/meas/aflver/binaryen/lib/libbinaryen.so)
==13857== by 0x5C617E8: wasm::MaybeResult<wasm::Ok> wasm::WATParser::plaininstr<wasm::WATParser::NullCtx>(wasm::WATParser::NullCtx&, std::vector<wasm::WATParser::Annotation, std::allocator<wasm::WATParser::Annotation> > const&) (in /home/usan/meas/aflver/binaryen/lib/libbinaryen.so)
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857== by 0x7575757575757574: ???
==13857==
==13857== HEAP SUMMARY:
==13857== in use at exit: 185,994 bytes in 2,315 blocks
==13857== total heap usage: 3,682 allocs, 1,367 frees, 406,997 bytes allocated
==13857==
==13857== LEAK SUMMARY:
==13857== definitely lost: 97 bytes in 3 blocks
==13857== indirectly lost: 0 bytes in 0 blocks
==13857== possibly lost: 21,493 bytes in 1 blocks
==13857== still reachable: 164,404 bytes in 2,311 blocks
==13857== suppressed: 0 bytes in 0 blocks
==13857== Rerun with --leak-check=full to see details of leaked memory
==13857==
==13857== For lists of detected and suppressed errors, rerun with: -s
==13857== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault