Lack of bounds checking in deserialization functions may lead to out-of-bounds access in `Cairo.sol`
Summary:
The uint256ArrayDeserialize() and cairoStringArrayDeserialize() functions in the Cairo library lack proper bounds checking, which could result in out-of-bounds array access if given malformed input data.
Vulnerability details:
These deserialization functions read a length value from the input buffer and then attempt to deserialize that many elements without verifying if the buffer contains sufficient data. This can lead to reading beyond the buffer's bounds, potentially returning incorrect data or causing unexpected behavior in contracts using this library.
For example, in uint256ArrayDeserialize():
Impact
If len is larger than the remaining elements in buf, the function will continue reading past the end of the array, returning zero values for out-of-bounds accesses.
Tools Used
Manual Review
Recommendation:
Implement bounds checking in the deserialization functions to ensure that the input buffer contains enough data for the specified length. For uint256ArrayDeserialize(), add a check like:
Similar checks should be added to other deserialization functions in the library.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.