Skip to content

fix(store): prevent delete out of bounds in spliceDynamicData #3521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 17, 2025
Merged

fix(store): prevent delete out of bounds in spliceDynamicData #3521

merged 5 commits into from
Mar 17, 2025

Conversation

@alvrs
Copy link
Member

@alvrs alvrs commented Jan 28, 2025
edited
Loading

In spliceDynamicData, we’re checking that start is within the bounds of the previous field length but aren’t considering deleteCount in that check. There is another check that checks that start + deleteCount lines up with the previous length of the field if the total length of the field changed, but this only applies if the length changed. That means if the length of the data to insert is the same as deleteCount, it is possible to “insert data after the length of the field” (ie by setting start to the end of the field). I put “insert data after the length of the field” in quotes, since the length of the field is not actually changed, which means when retrieving the whole field onchain the data appended at the end would not be included, similar to how items that are pop’ed from a dynamic field are not actually cleared from storage but just the field length is reduced.

But means indexers/clients need to be aware of this nuance and use encodedLengths as source of truth (like we do onchain).

We can remove this edge case by changing the check to if(startWithinField > previousFieldLength - deleteCount).

When using our table libraries this does not happen since they don't call spliceDynamicData with an invalid start value, but it’s possible to trigger this by calling world.spliceDynamicData manually.

@changeset-bot
Copy link

changeset-bot bot commented Jan 28, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 1a15f90

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@frolic frolic added the needs audit This code needs to be audited label Feb 5, 2025
@alvrs alvrs force-pushed the splice-dynamic-data-patch branch from 3b20599 to 10bbab5 Compare February 7, 2025 14:03
@frolic frolic mentioned this pull request Feb 28, 2025
Draft
@alvrs alvrs force-pushed the splice-dynamic-data-patch branch from 10bbab5 to 3ff178f Compare March 17, 2025 19:54
@alvrs alvrs changed the base branch from main to audit-2 March 17, 2025 19:55
@alvrs alvrs changed the base branch from audit-2 to main March 17, 2025 19:57
@alvrs alvrs changed the base branch from main to audit-2 March 17, 2025 19:57
@alvrs alvrs force-pushed the splice-dynamic-data-patch branch from 3ff178f to 5027f3e Compare March 17, 2025 21:10
@alvrs alvrs marked this pull request as ready for review March 17, 2025 22:15
@alvrs alvrs merged commit 7a3e580 into audit-2 Mar 17, 2025
14 of 15 checks passed
@alvrs alvrs deleted the splice-dynamic-data-patch branch March 17, 2025 22:15
@alvrs alvrs restored the splice-dynamic-data-patch branch March 17, 2025 22:15
@alvrs
Copy link
Member Author

alvrs commented Mar 17, 2025

combining all changes that require an audit into #3630

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs audit This code needs to be audited

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alvrs @frolic