CVE-2022-43283

An attacker provides a crafted WebAssembly binary (`.wasm` file) to the `wasm2c` tool. When the tool attempts to convert this module to C source code via `CWriter::Write`, it hits an abort at `src/c-writer.cc:1969` [ref_id=1]. The stack trace shows the string `"unimplemented: %"` on the stack, indicating the tool encountered a construct it does not support and called `abort()` rather than handling it gracefully [ref_id=1]. No authentication or special network access is required — the attacker only needs to supply the malicious file to the converter.

The crash occurs in `CWriter::Write` at `src/c-writer.cc:1969` [ref_id=1]. The backtrace shows recursive calls through `CWriter::Write` and `CWriter::Write

No patch is included in the bundle. The advisory [ref_id=1] reports the abort but does not provide a fix or remediation guidance. To close this vulnerability, the `CWriter::Write` function at `src/c-writer.cc:1969` would need to handle the unimplemented WebAssembly construct without aborting — for example, by returning an error or skipping the unsupported feature gracefully.

The bundle includes a PoC file (`poc_wasm2c-1.wasm`) and a command: `wasm2c --enable-multi-memory ./poc_wasm2c-1.wasm` [ref_id=1]. Running this command against wasm2c v1.0.29 (commit 3054d61f703d609995798f872fc86b462617c294) built with `make clang-debug-asan` triggers the abort in `CWriter::Write` at `src/c-writer.cc:1969` [ref_id=1].