diff --git a/tests/functional/builtins/codegen/test_abi_decode.py b/tests/functional/builtins/codegen/test_abi_decode.py index 72398ad33c..0f2b04cfa5 100644 --- a/tests/functional/builtins/codegen/test_abi_decode.py +++ b/tests/functional/builtins/codegen/test_abi_decode.py @@ -470,7 +470,8 @@ def test_abi_decode_length_mismatch(get_contract, assert_compile_failed, bad_cod def test_abi_decode_overflow(w3, tx_failed, get_contract): - # test based on GHSA-9p8r-4xp4-gw5w: https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w#advisory-comment-91841 + # test based on GHSA-9p8r-4xp4-gw5w: + # https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w#advisory-comment-91841 # note: doesn't even reach the assert but reverts internally on the clamp in getelemptr code = """ @external @@ -485,7 +486,10 @@ def f(x: Bytes[32 * 3]): assert decoded_y1 != decoded_y2 """ c = get_contract(code) - data = "d45754f800000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000060ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0" + data = "d45754f8" + data += "20".zfill(64) + data += "60".zfill(64) + data += "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0" with tx_failed(): w3.eth.send_transaction({"to": c.address, "data": data}) @@ -510,4 +514,4 @@ def f(x: Bytes[32 * 5]): data += "40".zfill(64) # inner array head data += "3".zfill(64) * 4 # inner array payload - length: 3 | idx0: 3 | idx1: 3 | idx2: 3 with tx_failed(): - w3.eth.send_transaction({"to": c.address, "data": data}) \ No newline at end of file + w3.eth.send_transaction({"to": c.address, "data": data}) diff --git a/vyper/codegen/core.py b/vyper/codegen/core.py index 01fb15d0b9..9ab014ffb3 100644 --- a/vyper/codegen/core.py +++ b/vyper/codegen/core.py @@ -468,15 +468,11 @@ def _getelemptr_abi_helper(parent, member_t, ofst, clamp_=True): with abi_ofst.cache_when_complex("abi_ofst") as (b1, abi_ofst): bound = parent_abi_t.size_bound() end = ["add", abi_ofst, member_abi_t.size_bound()] - # head + member_size must be 'le' upper_bound of the parent buffer + # head + member_size must be 'le' than the upper bound of parent buffer end_clamped = clamp("le", end, bound) - # head + member_size must be 'gt' lower_bound of the parent buffer (no overflow) + # head + member_size must be 'gt' than the head (ie no overflow due to 'add') end_clamped = ["assert", ["gt", end_clamped, abi_ofst]] - ofst_ir = [ - "seq", - end_clamped, - add_ofst(parent, abi_ofst) - ] + ofst_ir = ["seq", end_clamped, add_ofst(parent, abi_ofst)] ofst_ir = b1.resolve(ofst_ir) return IRnode.from_list(