Skip to content

fix: prevent uint32 overflow in CertTable bounds check#186

Open
Flo354 wants to merge 1 commit intogoogle:mainfrom
Flo354:fix/certtable-uint32-overflow
Open

fix: prevent uint32 overflow in CertTable bounds check#186
Flo354 wants to merge 1 commit intogoogle:mainfrom
Flo354:fix/certtable-uint32-overflow

Conversation

@Flo354
Copy link
Copy Markdown

@Flo354 Flo354 commented Mar 23, 2026

The bounds check in CertTable.Unmarshal (abi/abi.go:871) uses uint32 arithmetic:

if entry.Offset+entry.Length > uint32(len(certs)) {

When Offset + Length exceeds 2^32, the addition wraps around and the check passes. The subsequent slice access at line 875 uses Go's int-sized indexing (64-bit on amd64), causing a panic:

runtime error: slice bounds out of range [4294967294:1]

For example, Offset=0xFFFFFFFE and Length=3 wraps to 0x1, bypassing the check for any cert table larger than 1 byte.

The fix replaces the single addition with an overflow-safe comparison:

certsLen := uint32(len(certs))
if entry.Offset > certsLen || entry.Length > certsLen-entry.Offset {

Files changed: abi/abi.go

@Flo354
fix: prevent uint32 overflow in CertTable bounds check
b1d6999 
CertTable.Unmarshal uses entry.Offset+entry.Length in a uint32
bounds check. When the sum exceeds 2^32 it wraps around, bypassing
the check. The subsequent slice access panics.

Replace with overflow-safe comparison that checks each component
separately.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Flo354