CVE-2023-31669

An attacker provides a maliciously crafted `.wat` file containing the sequence `@"` (an `@` character immediately followed by a double-quote) to the wat2wasm utility. When the parser encounters this sequence, it triggers an uncaught `std::length_error` exception in the C++ standard library's `basic_string` implementation, causing the process to abort with a `libc++abi.dylib` crash [ref_id=1]. The attack requires no special privileges — the victim simply runs wat2wasm on the attacker-supplied file. The minimal crashing input is `(@_memory" (memory $mem))` where `@"` appears without any whitespace between them [ref_id=1].

The crash occurs in the wat2wasm tool from WABT (WebAssembly Binary Toolkit) version 1.0.32 when parsing a `.wat` file that contains the character `@` immediately before a double-quote character (`"`). The specific code path is the lexer/parser that handles string tokenization; the `@` character placed directly before an opening quote causes an uncaught `std::length_error: basic_string` exception during string processing [ref_id=1].

No patch is included in the bundle. The advisory [ref_id=1] describes the expected behavior: instead of crashing, wat2wasm should produce a proper error message such as "newline in string" or "unexpected token", similar to the errors produced when the `@` character is replaced with `*`. The fix would involve adding input validation in the lexer to handle the `@` character before a quote gracefully, catching the `std::length_error` exception or preventing the invalid string state from occurring, and emitting a user-friendly parse error instead of aborting [ref_id=1].

Create a `.wat` file with the following minimal content: `(@_memory" (memory $mem))`. Run `wat2wasm` on that file. The tool will crash with `libc++abi.dylib: terminating with uncaught exception of type std::length_error: basic_string` [ref_id=1].