Fix array decoding offset overflow.

2023-10-03 13:03:40 +00:00 · 2021-04-07 16:44:02 +02:00 · 2021-04-07 16:44:02 +02:00 · 72d0a56a72
commit 72d0a56a72
parent 32b8332867
4 changed files with 12 additions and 17 deletions
--- a/libsolidity/codegen/ABIFunctions.cpp
+++ b/libsolidity/codegen/ABIFunctions.cpp
@ -1187,19 +1187,14 @@ string ABIFunctions::abiDecodingFunctionArrayAvailableLength(ArrayType const& _t
 					dst := add(array, 0x20)
 				</dynamic>
 				let src := offset
-				<?dynamicBase>
-					// TODO add check that we can actually load from all
-					// offset pointers, i.e. as below, but with stride being 0x20.
-				<!dynamicBase>
 				if gt(add(src, mul(length, <stride>)), end) {
 					<revertInvalidStride>
 				}
-				</dynamicBase>
 				for { let i := 0 } lt(i, length) { i := add(i, 1) }
 				{
 					<?dynamicBase>
 						let innerOffset := <load>(src)
-						// TODO add overflow check
+						if gt(innerOffset, 0xffffffffffffffff) { <revertStringOffset> }
 						let elementPos := add(offset, innerOffset)
 					<!dynamicBase>
 						let elementPos := src
@ -1218,11 +1213,11 @@ string ABIFunctions::abiDecodingFunctionArrayAvailableLength(ArrayType const& _t
 		templ("dynamic", _type.isDynamicallySized());
 		templ("load", _fromMemory ? "mload" : "calldataload");
 		templ("dynamicBase", _type.baseType()->isDynamicallyEncoded());
-		if (!_type.baseType()->isDynamicallyEncoded())
 		templ(
 			"revertInvalidStride",
 			revertReasonIfDebug("ABI decoding: invalid calldata array stride")
 		);
+		templ("revertStringOffset", revertReasonIfDebug("ABI decoding: invalid calldata array offset"));
 		templ("decodingFun", abiDecodingFunction(*_type.baseType(), _fromMemory, false));
 		return templ.render();
 	});
--- a/test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding.sol
+++ b/test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding.sol
@ -26,4 +26,4 @@ contract Test {
 // ====
 // compileViaYul: also
 // ----
-// test() -> 0x01e240
+// test() -> FAILURE
--- a/test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding_2.sol
+++ b/test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding_2.sol
@ -27,4 +27,4 @@ contract Test {
 // ====
 // compileViaYul: also
 // ----
-// withinArray() -> 0x03c480
+// withinArray() -> FAILURE
--- a/test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding_3.sol
+++ b/test/libsolidity/semanticTests/abiencodedecode/offset_overflow_in_array_decoding_3.sol
@ -20,4 +20,4 @@ contract Test {
 // ====
 // compileViaYul: also
 // ----
-// test() -> 0x01e240
+// test() -> FAILURE