Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor parseUint, parseInt and parseHexUint to check bounds #5304

Merged
merged 12 commits into from
Nov 25, 2024
Merged

Refactor parseUint, parseInt and parseHexUint to check bounds #5304

merged 12 commits into from
Nov 25, 2024

Conversation

ernestognw
Copy link
Member

@ernestognw ernestognw commented Nov 19, 2024
edited
Loading

Fixes M-01 and M-02

PR Checklist

  • Tests
  • Documentation
  • Changeset entry (run npx changeset add)

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Nov 19, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: 04624b4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@ernestognw
Copy link
Member Author

I think it's easier to fix both M-02 and M-01 within the same PR. The implementation adds an extra check that begin <= end in tryParseUint. I think this is the right direction, though. Otherwise it would be inconsistent that for invalid ranges the tryParseUint function returns (true, 0) whereas their counterparts return (false, 0).

Using the new private functions seemed like a good middleground IMO and we're not extending the interface

@ernestognw ernestognw changed the title Validate tryParseHexUint excludes values of out bounds Refactor parseUint, parseInt and parseHexUint to check bounds Nov 19, 2024
@ernestognw ernestognw requested a review from a team November 19, 2024 15:55
@Amxx Amxx added this to the 5.2-after-freeze milestone Nov 19, 2024
Amxx
Amxx reviewed Nov 20, 2024
View reviewed changes
Copy link
Collaborator

@Amxx Amxx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are still some potenitally out of bound reads

  • line 262: if string is sub empty (being=end), then there is no sign to read.
  • line 336: similar, if string is empty, there is no prefix to check.
  • line 394: similar, if string is empty, there is no prefix to check.

Amxx
Amxx reviewed Nov 20, 2024
View reviewed changes
Amxx
Amxx reviewed Nov 20, 2024
View reviewed changes
@ernestognw ernestognw enabled auto-merge (squash) November 21, 2024 15:39
@Amxx Amxx disabled auto-merge November 22, 2024 15:58
@Amxx Amxx requested a review from a team November 22, 2024 15:59
@Amxx Amxx enabled auto-merge (squash) November 22, 2024 15:59
@Amxx Amxx disabled auto-merge November 25, 2024 10:04
@Amxx Amxx merged commit b3ce884 into OpenZeppelin:master Nov 25, 2024
15 checks passed
Amxx added a commit to Amxx/openzeppelin-contracts that referenced this pull request Nov 30, 2024
@ernestognw @Amxx
Refactor parseUint, parseInt and parseHexUint to check bounds (O…
2aa350e 
…penZeppelin#5304)

Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com>
Signed-off-by: Hadrien Croubois <hadrien.croubois@gmail.com>
Amxx added a commit to Amxx/openzeppelin-contracts that referenced this pull request Nov 30, 2024
@ernestognw @Amxx
Refactor parseUint, parseInt and parseHexUint to check bounds (O…
1c10330 
…penZeppelin#5304)

Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com>
Signed-off-by: Hadrien Croubois <hadrien.croubois@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Amxx Amxx Amxx approved these changes

Assignees
No one assigned
Labels
ignore-changeset
Projects
None yet
Milestone
5.2-after-freeze
Development

Successfully merging this pull request may close these issues.
2 participants
@ernestognw @Amxx