Restrict size for dynamic memory array creation.

Changelog.md

@@ -1,5 +1,9 @@
 ### 0.6.5 (unreleased)
 
+Important Bugfixes:
+ * Code Generator: Restrict the size of dynamic memory arrays to 64 bits during creation at runtime fixing a possible overflow.
+
+
 Language Features:
 
 

libsolidity/codegen/ExpressionCompiler.cpp

@@ -995,6 +995,12 @@ bool ExpressionCompiler::visit(FunctionCall const& _functionCall)
 			// Fetch requested length.
 			acceptAndConvert(*arguments[0], *TypeProvider::uint256());
 
+			// Make sure we can allocate memory without overflow
+			m_context << u256(0xffffffffffffffff);
+			m_context << Instruction::DUP2;
+			m_context << Instruction::GT;
+			m_context.appendConditionalRevert();
+
 			// Stack: requested_length
 			utils().fetchFreeMemoryPointer();
 

test/libsolidity/semanticTests/array/create_memory_array_too_large.sol

@@ -0,0 +1,24 @@
+contract C {
+    function f() public returns (uint256) {
+        uint256 l = 2**256 / 32;
+        // This used to work without causing an error.
+        uint256[] memory x = new uint256[](l);
+        uint256[] memory y = new uint256[](1);
+        x[1] = 42;
+        // This used to overwrite the value written above.
+        y[0] = 23;
+        return x[1];
+    }
+    function g() public returns (uint256) {
+        uint256 l = 2**256 / 2 + 1;
+        // This used to work without causing an error.
+        uint16[] memory x = new uint16[](l);
+        uint16[] memory y = new uint16[](1);
+        x[2] = 42;
+        // This used to overwrite the value written above.
+        y[0] = 23;
+        return x[2];
+    }}
+// ----
+// f() -> FAILURE
+// g() -> FAILURE