> This looks like a release assertion and the variant a null deref. On the surface doesn't look exploitable, but maybe there's a way to get a different "wrong" result that gets around the release assert? I don't really dive into possibility of different ways to exploit it. The wasm validation algorithm was incorrect, and the following compilation code does not expect input of wrong length. So, eventually, it would crash at some point at the compilation stage. The tail calls feature is currently enabled only in nightly (see bug 1846789).
Bug 1851568 Comment 10 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
> This looks like a release assertion and the variant a null deref. On the surface doesn't look exploitable, but maybe there's a way to get a different "wrong" result that gets around the release assert? I didn't really dive into possibility of different ways to exploit it. The wasm validation algorithm was incorrect, and the following compilation code does not expect input of wrong length. So, eventually, it would crash at some point at the compilation stage. The tail calls feature is currently enabled only in nightly (see bug 1846789).