Potential out-of-bounds memory access in `Cairo::cairoStringPack()` function
Summary:
The cairoStringPack() function in the Cairo library may access memory beyond the bounds of the input string when processing strings with lengths not divisible by CAIRO_STR_LEN.
Vulnerability details:
The function calculates dataLen as strBytes.length / CAIRO_STR_LEN, which truncates any remainder. It then uses this dataLen to process full 31-byte chunks, followed by a "pending word" for remaining bytes. However, for strings with lengths not divisible by 31, the offset used in the final assembly block could exceed the string's length:
Impact
This could lead to reading uninitialized memory, potentially causing incorrect packing of the string data.
Tools Used
Manual Review
Recommendation:
Adjust the logic to properly handle strings of any length. Calculate dataLen with rounding up, process one fewer full chunk in the main loop, and handle the last (potentially partial) chunk separately. For example:
Also, ensure pendingLen is correctly calculated for all cases, including when the string length is a multiple of CAIRO_STR_LEN.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.