CVE-2022-43282

An attacker supplies a crafted WebAssembly binary (`.wasm` file) that contains a malformed `return_call_indirect` instruction. When `wasm-interp` (built with `--enable-all`) parses this instruction, the `OnReturnCallIndirectExpr` handler invokes `GetReturnCallDropKeepCount`, which reads past the bounds of a type vector, causing a segmentation fault [ref_id=1]. No authentication or special privileges are required — the victim need only run the interpreter on the malicious file.

The out-of-bounds read occurs in `wabt::interp::(anonymous namespace)::BinaryReaderInterp::GetReturnCallDropKeepCount` at `src/interp/binary-reader-interp.cc:445` [ref_id=1]. The crash is triggered when `OnReturnCallIndirectExpr` (line 1176) calls `GetReturnCallDropKeepCount`, which performs a `size()` call on a `std::vector

No patch is included in the bundle. The advisory [ref_id=1] does not provide a fix or remediation guidance; it only documents the crash and the proof-of-concept file. Based on the stack trace, the vulnerability stems from missing bounds checking in `GetReturnCallDropKeepCount` when accessing the type vector of a `FuncType` — a fix would need to validate that the index used to query the vector does not exceed its size before calling `size()` or accessing elements.

Download the proof-of-concept file `poc-interp-3.wasm` (provided as `poc-interp-3.wasm.zip` in the advisory [ref_id=1]). Run: `wasm-interp --enable-all ./poc-interp-3.wasm`. The interpreter will crash with an AddressSanitizer SEGV at `GetReturnCallDropKeepCount`.