Judge has assessed an item in Issue #49 as 2 risk. The relevant finding follows:
QA10. readKeyValue() fails to enforce the constraint offset+len<=input.length. As a result, the key-value pair might be read from dirty memory area that is beyond the memory range of input and thus could be wrong.
Mitigation: make sure offset+len<=input.length:
function readKeyValue(
bytes memory input,
uint256 offset,
uint256 len
)
internal
pure
returns (bytes memory key, bytes memory value, uint256 nextOffset)
{
+ if(offset + len > input.length) revert outOfBoundAccess();
uint256 separator = input.find(offset, len, "=");
if (separator == type(uint256).max) {
return ("", "", type(uint256).max);
}
uint256 terminator = input.find(
separator,
len + offset - separator,
" "
);
if (terminator == type(uint256).max) {
- terminator = input.length;
+ terminator = offset + len;
}
key = input.substring(offset, separator - offset);
value = input.substring(separator + 1, terminator - separator - 1);
nextOffset = terminator + 1;
}
The text was updated successfully, but these errors were encountered:
All reactions