cerc-io/solidity
10
0
Fork 0
mirror of https://github.com/ethereum/solidity synced 2023-10-03 13:03:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix array decoding offset overflow.

Browse Source
This commit is contained in:
chriseth 2021-04-07 16:44:02 +02:00
parent 32b8332867
commit 72d0a56a72
4 changed files with 12 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libsolidity/codegen/ABIFunctions.cpp
View File

@ -1187,19 +1187,14 @@ string ABIFunctions::abiDecodingFunctionArrayAvailableLength(ArrayType const& _t
dst := add(array, 0x20) dst := add(array, 0x20)
</dynamic> </dynamic>
let src := offset let src := offset
<?dynamicBase>
// TODO add check that we can actually load from all
// offset pointers, i.e. as below, but with stride being 0x20.
<!dynamicBase>
if gt(add(src, mul(length, <stride>)), end) { if gt(add(src, mul(length, <stride>)), end) {
<revertInvalidStride> <revertInvalidStride>
} }
</dynamicBase>
for { let i := 0 } lt(i, length) { i := add(i, 1) } for { let i := 0 } lt(i, length) { i := add(i, 1) }
{ {
<?dynamicBase> <?dynamicBase>
let innerOffset := <load>(src) let innerOffset := <load>(src)
// TODO add overflow check if gt(innerOffset, 0xffffffffffffffff) { <revertStringOffset> }
let elementPos := add(offset, innerOffset) let elementPos := add(offset, innerOffset)
<!dynamicBase> <!dynamicBase>
let elementPos := src let elementPos := src
@ -1218,11 +1213,11 @@ string ABIFunctions::abiDecodingFunctionArrayAvailableLength(ArrayType const& _t
templ("dynamic", _type.isDynamicallySized()); templ("dynamic", _type.isDynamicallySized());
templ("load", _fromMemory ? "mload" : "calldataload"); templ("load", _fromMemory ? "mload" : "calldataload");
templ("dynamicBase", _type.baseType()->isDynamicallyEncoded()); templ("dynamicBase", _type.baseType()->isDynamicallyEncoded());
if (!_type.baseType()->isDynamicallyEncoded())
templ( templ(
"revertInvalidStride", "revertInvalidStride",
revertReasonIfDebug("ABI decoding: invalid calldata array stride") revertReasonIfDebug("ABI decoding: invalid calldata array stride")
); );
templ("revertStringOffset", revertReasonIfDebug("ABI decoding: invalid calldata array offset"));
templ("decodingFun", abiDecodingFunction(*_type.baseType(), _fromMemory, false)); templ("decodingFun", abiDecodingFunction(*_type.baseType(), _fromMemory, false));
return templ.render(); return templ.render();
}); });

2
test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding.sol
View File

@ -26,4 +26,4 @@ contract Test {
// ==== // ====
// compileViaYul: also // compileViaYul: also
// ---- // ----
// test() -> 0x01e240 // test() -> FAILURE

2
test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding_2.sol
View File

@ -27,4 +27,4 @@ contract Test {
// ==== // ====
// compileViaYul: also // compileViaYul: also
// ---- // ----
// withinArray() -> 0x03c480 // withinArray() -> FAILURE

2
test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding_3.sol
View File

@ -20,4 +20,4 @@ contract Test {
// ==== // ====
// compileViaYul: also // compileViaYul: also
// ---- // ----
// test() -> 0x01e240 // test() -> FAILURE