Out-of-bounds memory access in `cairoStringUnpack` function
Summary
The cairoStringUnpack function in the Cairo library has a potential out-of-bounds memory access issue when handling the pending word. This can lead to unexpected behavior or crashes if the function tries to access memory outside the allocated buffer.
Vulnerability Details
Looking at the cairoStringUnpack function, it processes a packed Cairo string and unpacks it into a standard string. After processing the main part of the string, the function increments the offset by dataLen and then tries to access buf[offset + 1] to get the number of characters in the pending word. If offset + 1 exceeds the length of the buffer, this will result in an out-of-bounds memory access.
Impact
If offset + 1 exceeds the length of the buffer, the function will attempt to access memory outside the allocated buffer. This can lead to unexpected behavior, crashes, or potential security vulnerabilities.
Tools Used
Manual code review
Recommendations
Add a check to ensure that offset + 1 is within the bounds of the buffer before accessing it.
This check ensures that the function does not attempt to access memory outside the bounds of the buffer, thereby addressing the logic issue.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.