[Bug] NULL Pointer Dereference in getByteCountForArguments during for loop compilation

[oneafter]

Description

We discovered a Segmentation Fault in the Wren compiler. The crash occurs in getByteCountForArguments when compiling a specifically crafted script containing for loops (likely nested or within a class method).

The ASAN report indicates a SEGV on address 0x0000000005c8. Given the small offset from zero, this is almost certainly a NULL Pointer Dereference where a struct member is accessed from a NULL pointer.

Environment

• OS: Linux x86_64
• Complier: Clang
• Build Configuration: Release mode with ASan enabled.

Vulnerability Details

• Target: Wren (wren-lang)
• Vulnerability Type: CWE-476: NULL Pointer Dereference
• Function: getByteCountForArguments
• Location: src/vm/wren_compiler.c:2961 (called from endLoop)
• Root Cause Analysis: The crash occurs during the compilation of a for loop (endLoop -> getByteCountForArguments). The accessed address 0x5c8 suggests an instruction attempting to read a field at offset 1480 from a base pointer that is NULL.

In endLoop, the compiler generates bytecode for the iterator protocol. It likely attempts to access signature information or compiler state to determine argument byte counts for the implicit iterate or iteratorValue calls. If the compilation state is corrupted (e.g., inside a malformed class definition or deeply nested structure), a required pointer (likely the Compiler* or a Signature*) is NULL, causing the crash.

Reproduce

1. Build wren and harness with Release optimization and ASAN enabled.

harness.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "wren.h"

void writeFn(WrenVM* vm, const char* text) {
   
}

void errorFn(WrenVM* vm, WrenErrorType type, const char* module, int line, const char* message) {
   
}

int main(int argc, char** argv) {
    if (argc < 2) return 1;
    
    FILE* f = fopen(argv[1], "rb");
    if (!f) return 1;
    
    fseek(f, 0, SEEK_END);
    long length = ftell(f);
    fseek(f, 0, SEEK_SET);
    
    char* buffer = (char*)malloc(length + 1);
    if (!buffer) {
        fclose(f);
        return 1;
    }
    
    if (fread(buffer, 1, length, f) != (size_t)length) {
        free(buffer);
        fclose(f);
        return 1;
    }
    buffer[length] = '\0';
    fclose(f);

    WrenConfiguration config;
    wrenInitConfiguration(&config);
    config.writeFn = writeFn;
    config.errorFn = errorFn;

    WrenVM* vm = wrenNewVM(&config);

    WrenInterpretResult result = wrenInterpret(vm, "main", buffer);

    wrenFreeVM(vm);
    free(buffer);

    return 0;
}

2. Run with the crashing file:

./bin/harness repro

ASAN report

==87770==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000005c8 (pc 0x5646c9ac6fcf bp 0x7ffe70d7f4b0 sp 0x7ffe70d7f4b0 T0)
==87770==The signal is caused by a READ memory access.
==87770==Hint: address points to the zero page.
    #0 0x5646c9ac6fcf in getByteCountForArguments /src/wren/projects/make/../../src/vm/wren_compiler.c:2961:25
    #1 0x5646c9ae0777 in endLoop /src/wren/projects/make/../../src/vm/wren_compiler.c:3023:16
    #2 0x5646c9adc503 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3123:3
    #3 0x5646c9adc503 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
    #4 0x5646c9adb856 in loopBody /src/wren/projects/make/../../src/vm/wren_compiler.c:2995:3
    #5 0x5646c9adb856 in forStatement /src/wren/projects/make/../../src/vm/wren_compiler.c:3118:3
    #6 0x5646c9adb856 in statement /src/wren/projects/make/../../src/vm/wren_compiler.c:3220:5
    #7 0x5646c9ac3d7b in definition /src/wren/projects/make/../../src/vm/wren_compiler.c:3764:5
    #8 0x5646c9acd04d in finishBlock /src/wren/projects/make/../../src/vm/wren_compiler.c:1790:5
    #9 0x5646c9acc0fe in finishBody /src/wren/projects/make/../../src/vm/wren_compiler.c:1805:27
    #10 0x5646c9ad677b in method /src/wren/projects/make/../../src/vm/wren_compiler.c:3497:5
    #11 0x5646c9ad677b in classDefinition /src/wren/projects/make/../../src/vm/wren_compiler.c:3598:10
    #12 0x5646c9ac3cdc in definition /src/wren/projects/make/../../src/vm/wren_compiler.c
    #13 0x5646c9abd03d in wrenCompile /src/wren/projects/make/../../src/vm/wren_compiler.c:3815:7
    #14 0x5646c9aa9aa3 in compileInModule /src/wren/projects/make/../../src/vm/wren_vm.c:484:15
    #15 0x5646c9aa8f26 in wrenCompileSource /src/wren/projects/make/../../src/vm/wren_vm.c:1538:25
    #16 0x5646c9aa8f26 in wrenInterpret /src/wren/projects/make/../../src/vm/wren_vm.c:1517:25
    #17 0x5646c9a9dca5 in main /src/wren/fuzz_wren.c:51:34
    #18 0x7f3623d9b1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #19 0x7f3623d9b28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #20 0x5646c99bc5c4 in _start (/src/wren/bin/fuzz_wren+0x365c4) (BuildId: 5d78be029a4b6a34067ee0d0f65b83b8780504cc)

==87770==Register values:
rax = 0x00000000000005c8  rbx = 0x00000fe6c44d5874  rcx = 0x00000000000000b9  rdx = 0x0000000000000000  
rdi = 0x0003ffffffffffff  rsi = 0x0000000000000000  rbp = 0x00007ffe70d7f4b0  rsp = 0x00007ffe70d7f4b0  
 r8 = 0x0000000000000002   r9 = 0x0000000000000068  r10 = 0x0000000000000068  r11 = 0x0000000000000000  
r12 = 0x00005646c9b63900  r13 = 0x0000000000000059  r14 = 0x00000ac8d936c720  r15 = 0x00007f36226ac3a0  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/wren/projects/make/../../src/vm/wren_compiler.c:2961:25 in getByteCountForArguments
==87770==ABORTING