WASM serialization calls std::vector::resize(SIZE_MAX) which always leads to crash

[zhangbo-miuNEST]

100% crash.

file: libraries/wasm-jit/Source/WASM/WASMSerialization.cpp
line: 384

OutputStream::capacity() always returns SIZE_MAX, so std::vector::resize(SIZE_MAX) always leads to crash. Please comment it out. Thanks.

void serialize(OutputStream& stream,UserSection& userSection)
{
userSection.data.resize( sectionStream.capacity() ? sectionStream.capacity() : 1 );
}

The latest WAVM source code has commented it out, but EOS and gxb-core don't synchronize with it yet.
https://github.com/EOSIO/eos/blob/master/libraries/wasm-jit/Source/WASM/WASMSerialization.cpp

[lanhaoxiang]

Thanks a lot, can you also leave your gxchain account so we can send you the bug bounty for your contributions.

[zhangbo-miuNEST]

my gxchain account is z16166. thanks

[ddggstudy]

thank you very much!

can you supply an example code or method which can leading a crash which can help us to fix the problems ASAP.

[zhangbo-miuNEST]

just build the target "gxc-wast2wasm" from gxb-core, and run it, it will core dump.
This tool is for WASM assembling.

command:
gxc-wast2wasm gxb-core/libraries/wasm-jit/Test/fuzzy/address.wast ./address.wasm

[RootkitKiller]

Thank you very much for the great work you have done, @zhangbo-miuNEST .

Have you found that the "witness_node" crash caused by this bug?(witness_node is node program).

gxc-wast2wasm is a compilation tool. We first compile the cpp code into a wasm bytecode and then deploy the wasm bytecode to the blockchain. The crash process took place in the first phase. I haven't found any impact on the witness_node node. Is there more fuzz files or contracts?

[zhangbo-miuNEST]

No, witness_node is not affected.