EDB-ID: 44427 | Author: Google Security Research | Published: 2018-04-09 | CVE: CVE-2018-4121 | Type: Dos | Platform: Multiple | Aliases: N/A | Advisory/Source: Link | Tags: N/A | Vulnerable App: N/A |
static inline bool validateOrder(Section previous, Section next)
{
if (previous == Section::Custom)
return true;
return static_cast<uint8_t>(previous) < static_cast<uint8_t>(next);
}
If the previous section was a custom section, the check always returns true, even if the section is otherwise out of order. This means any number of sections can be parsed from a binary, any number of times in any order. This leads to a number of possible overflows and type confusion bugs, as parsing assumes most sections are unique and in the right order.
The attached html file causes a crash in Safari, the wasm file is attached as well. This particular use of the bug causes an overflow in the function vector.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44427.zip
