Skip to content

v0.1.0 - Critical bug fix

Compare
Choose a tag to compare
@GNSPS GNSPS released this 30 Sep 19:51
· 16 commits to master since this release

With this version we up the minor version in an attempt to signal the importance of the fix in an, otherwise, very stable project for a while.

From the README:

There was a critical bug in the slice method, reported on an audit to a DXDao codebase.

Previously, no checks were being made on overflows of the _start and _length parameters since previous reviews of the codebase deemed this overflow "unexploitable" because of an inordinate expansion of memory (i.e., reading an immensely large memory offset causing huge memory expansion) resulting in an out-of-gas exception.

However, as noted in the review mentioned above, this is not the case. The slice method in versions <=0.9.0 actually allows for arbitrary kind of (i.e., it allows memory writes to very specific values) arbitrary memory writes _in the specific case where these parameters are user-supplied inputs and not hardcoded values (which is uncommon).

This made me realize that in permissioned blockchains where gas is also not a limiting factor this could become problematic in other methods and so I updated all typecasting-related methods to include new bound checks as well.

TL;DR: if you're using the slice method with user-supplied inputs in your codebase please update the bytes library immediately!