Description
We discovered a Heap-buffer-overflow (specifically an underflow) vulnerability in Wren. The crash occurs in resolveLocal (triggering bcmp) when the compiler attempts to parse a deeply nested structure (likely nested loops or blocks).
The ASAN report shows an extremely deep call stack (~300+ frames) of recursive parsing functions (statement -> definition -> finishBlock). This deep recursion likely leads to memory corruption or an invalid pointer calculation when resolving local variables, causing a read access 766 bytes before the allocated source buffer.
Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
Vulnerability Details
- Target: Wren (wren-lang)
- Vulnerability Type: CWE-674: Uncontrolled Recursion / CWE-125: Out-of-bounds Read
- Function: resolveLocal (calling bcmp)
- Location: src/vm/wren_compiler.c:1539
- Root Cause Analysis: The parser allows excessive nesting of code blocks or control structures.
// Recurring pattern in stack trace:
#-15 loopBody
#-16 forStatement
#-17 statement
#-18 definition
#-19 finishBlock
...
This recursive descent parser consumes stack space and likely pushes compiler state (locals, scopes) onto an internal stack. When the nesting is too deep, resolveLocal attempts to look up a variable name. Due to the depth, an index calculation for the local variable lookup might become negative or invalid, or the internal compiler state might be corrupted, causing bcmp to read memory preceding the valid heap allocation.
Reproduce
- Build wren and harness with Release optimization and ASAN enabled.
harness.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "wren.h"
void writeFn(WrenVM* vm, const char* text) {
}
void errorFn(WrenVM* vm, WrenErrorType type, const char* module, int line, const char* message) {
}
int main(int argc, char** argv) {
if (argc < 2) return 1;
FILE* f = fopen(argv[1], "rb");
if (!f) return 1;
fseek(f, 0, SEEK_END);
long length = ftell(f);
fseek(f, 0, SEEK_SET);
char* buffer = (char*)malloc(length + 1);
if (!buffer) {
fclose(f);
return 1;
}
if (fread(buffer, 1, length, f) != (size_t)length) {
free(buffer);
fclose(f);
return 1;
}
buffer[length] = '\0';
fclose(f);
WrenConfiguration config;
wrenInitConfiguration(&config);
config.writeFn = writeFn;
config.errorFn = errorFn;
WrenVM* vm = wrenNewVM(&config);
WrenInterpretResult result = wrenInterpret(vm, "main", buffer);
wrenFreeVM(vm);
free(buffer);
return 0;
}
- Run with the crashing file:
ASAN report
==96037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x530000000102 at pc 0x564f0da94848 bp 0x7fffe1d97780 sp 0x7fffe1d96f28
READ of size 1 at 0x530000000102 thread T0
#0 0x564f0da94847 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/src/wren/bin/fuzz_wren+0x53847) (BuildId: 5d78be029a4b6a34067ee0d0f65b83b8780504cc)
#1 0x564f0da94bc0 in bcmp (/src/wren/bin/fuzz_wren+0x53bc0) (BuildId: 5d78be029a4b6a34067ee0d0f65b83b8780504cc)
#2 0x564f0db75ce2 in resolveLocal /src/wren/projects/make/../../src/vm/wren_compiler.c:1539:9
#3 0x564f0db75ce2 in resolveNonmodule /src/wren/projects/make/../../src/vm/wren_compiler.c:1624:20
#4 0x564f0db75ce2 in name /src/wren/projects/make/../../src/vm/wren_compiler.c:2375:23
#5 0x564f0db85edd in parsePrecedence /src/wren/projects/make/../../src/vm/wren_compiler.c:2849:3
#6 0x564f0db85edd in expression /src/wren/projects/make/../../src/vm/wren_compiler.c:2863:3
#7 0x564f0db85edd in namedCall /src/wren/projects/make/../../src/vm/wren_compiler.c:2099:5
#8 0x564f0db87d44 in parsePrecedence /src/wren/projects/make/../../src/vm/wren_compiler.c:2849:3
#9 0x564f0db87d44 in expression /src/wren/projects/make/../../src/vm/wren_compiler.c:2863:3
#10 0x564f0db87d44 in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1779:5
#11 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#12 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#13 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#14 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#15 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#16 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#17 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#18 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#19 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#20 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#21 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#22 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#23 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#24 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#25 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#26 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#27 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#28 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#29 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#30 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#31 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#32 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#33 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#34 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#35 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#36 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#37 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#38 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#39 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#40 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#41 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#42 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#43 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#44 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#45 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#46 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#47 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#48 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#49 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#50 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#51 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#52 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#53 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#54 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#55 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#56 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#57 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#58 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#59 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#60 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#61 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#62 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#63 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#64 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#65 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#66 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#67 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#68 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#69 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#70 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#71 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#72 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#73 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#74 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#75 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#76 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#77 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#78 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#79 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#80 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#81 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#82 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#83 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#84 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#85 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#86 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#87 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#88 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#89 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#90 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#91 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#92 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#93 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#94 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#95 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#96 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#97 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#98 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#99 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#100 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#101 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#102 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#103 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#104 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#105 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#106 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#107 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#108 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#109 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#110 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#111 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#112 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#113 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#114 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#115 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#116 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#117 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#118 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#119 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#120 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#121 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#122 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#123 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#124 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#125 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#126 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#127 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#128 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#129 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#130 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#131 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#132 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#133 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#134 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#135 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#136 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#137 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#138 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#139 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#140 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#141 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#142 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#143 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#144 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#145 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#146 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#147 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#148 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#149 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#150 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#151 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#152 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#153 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#154 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#155 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#156 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#157 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#158 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#159 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#160 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#161 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#162 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#163 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#164 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#165 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#166 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#167 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#168 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#169 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#170 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#171 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#172 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#173 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#174 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#175 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#176 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#177 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#178 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#179 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#180 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#181 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#182 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#183 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#184 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#185 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#186 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#187 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#188 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#189 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#190 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#191 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#192 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#193 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#194 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#195 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#196 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#197 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#198 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#199 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#200 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#201 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#202 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#203 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#204 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#205 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#206 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#207 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#208 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#209 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#210 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#211 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#212 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#213 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#214 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#215 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#216 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#217 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#218 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#219 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#220 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#221 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#222 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#223 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#224 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#225 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#226 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#227 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#228 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#229 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#230 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#231 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#232 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#233 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#234 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#235 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#236 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#237 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#238 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#239 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#240 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#241 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#242 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#243 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#244 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#245 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#246 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#247 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#248 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#249 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#250 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#251 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#252 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#253 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#254 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#255 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#256 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#257 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#258 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#259 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#260 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#261 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#262 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#263 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#264 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#265 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#266 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#267 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#268 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#269 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#270 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#271 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#272 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#273 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#274 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#275 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#276 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#277 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#278 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#279 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#280 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#281 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#282 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#283 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#284 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#285 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#286 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#287 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#288 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#289 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#290 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#291 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#292 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#293 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#294 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#295 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#296 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#297 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#298 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#299 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#300 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#301 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#302 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
#303 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#304 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#305 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#306 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#307 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#308 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#309 0x564f0db7ed7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
#310 0x564f0db8804d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
#311 0x564f0db95bb7 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3256:9
#312 0x564f0db96856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
#313 0x564f0db96856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
#314 0x564f0db96856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
0x530000000102 is located 766 bytes before 57245-byte region [0x530000000400,0x53000000e39d)
allocated by thread T0 here:
#0 0x564f0db173f3 in malloc (/src/wren/bin/fuzz_wren+0xd63f3) (BuildId: 5d78be029a4b6a34067ee0d0f65b83b8780504cc)
#1 0x564f0db58bb5 in main /src/wren/fuzz_wren.c:26:27
#2 0x7ff2829dc1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#3 0x7ff2829dc28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#4 0x564f0da775c4 in _start (/src/wren/bin/fuzz_wren+0x365c4) (BuildId: 5d78be029a4b6a34067ee0d0f65b83b8780504cc)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/wren/bin/fuzz_wren+0x53847) (BuildId: 5d78be029a4b6a34067ee0d0f65b83b8780504cc) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
0x52fffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52ffffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52ffffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x530000000000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x530000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x530000000100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x530000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x530000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x530000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x530000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x530000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==96037==ABORTING
Description
We discovered a Heap-buffer-overflow (specifically an underflow) vulnerability in Wren. The crash occurs in resolveLocal (triggering bcmp) when the compiler attempts to parse a deeply nested structure (likely nested loops or blocks).
The ASAN report shows an extremely deep call stack (~300+ frames) of recursive parsing functions (statement -> definition -> finishBlock). This deep recursion likely leads to memory corruption or an invalid pointer calculation when resolving local variables, causing a read access 766 bytes before the allocated source buffer.
Environment
Vulnerability Details
This recursive descent parser consumes stack space and likely pushes compiler state (locals, scopes) onto an internal stack. When the nesting is too deep, resolveLocal attempts to look up a variable name. Due to the depth, an index calculation for the local variable lookup might become negative or invalid, or the internal compiler state might be corrupted, causing bcmp to read memory preceding the valid heap allocation.
Reproduce
harness.c
ASAN report