Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArrayCoder can cause large memory usage when decoding bad data #1486

Closed
arvola opened this issue Apr 19, 2021 · 2 comments
Closed

ArrayCoder can cause large memory usage when decoding bad data #1486

arvola opened this issue Apr 19, 2021 · 2 comments
Labels
enhancement New feature or improvement. fixed/complete This Bug is fixed or Enhancement is complete and published.

Comments

@arvola
Copy link

arvola commented Apr 19, 2021

Describe the bug
When attempting to use ArrayCoder on data that isn't compatible, a potentially random amount of memory will be used because the array of AnonymousCoder instances are created before attempting to decode.

Since the length is read first, this number could be anything. If it's not above JavaScript's MAX_SAFE_INTEGER, it'll be used and that many AnonymousCoders are created.

In our case, it was trying to create an array of 580,542,139,465,728 elements, and would always crash the process of course.

It is certainly an edge case, I don't expect many people to run into the issue. We are using ethers.js in a system that attempts to decode transactions without fully knowing the ABI, hence the possibility of the data not matching.

I've fixed the issue in our codebase by using a simple lazy array implementation, I would be happy to create a pull request.

Reproduction steps

import { EventFragment, Interface } from "@ethersproject/abi";

let iface = new Interface([]);

iface.decodeEventLog(
    EventFragment.from({
        name: "TransferBatch",
        inputs: [
            { type: "address" },
            { type: "address" },
            { type: "address" },
            { type: "uint256[]" },
            { type: "uint256[]" },
        ],
        type: "event",
    }),
    "0x00000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000001d00000000000000000000000000000000000000000000000000000000000001050000000000000000000000000000000000000000000000000000000000000150000000000000000000000000000000000000000000000000000000000000015a00000000000000000000000000000000000000000000000000000000000001bf00000000000000000000000000000000000000000000000000000000000001fb00000000000000000000000000000000000000000000000000000000000002100000000000000000000000000000000000000000000000000000000000000251000000000000000000000000000000000000000000000000000000000000026f000000000000000000000000000000000000000000000000000000000000029100000000000000000000000000000000000000000000000000000000000002af00000000000000000000000000000000000000000000000000000000000002e000000000000000000000000000000000000000000000000000000000000002f30000000000000000000000000000000000000000000000000000000000000318000000000000000000000000000000000000000000000000000000000000031c0000000000000000000000000000000000000000000000000000000000000371000000000000000000000000000000000000000000000000000000000000039900000000000000000000000000000000000000000000000000000000000003a500000000000000000000000000000000000000000000000000000000000003ac00000000000000000000000000000000000000000000000000000000000003c000000000000000000000000000000000000000000000000000000000000003d400000000000000000000000000000000000000000000000000000000000003fd000000000000000000000000000000000000000000000000000000000000041000000000000000000000000000000000000000000000000000000000000004240000000000000000000000000000000000000000000000000000000000000428000000000000000000000000000000000000000000000000000000000000043400000000000000000000000000000000000000000000000000000000000004410000000000000000000000000000000000000000000000000000000000000447000000000000000000000000000000000000000000000000000000000000047500000000000000000000000000000000000000000000000000000000000004a4000000000000000000000000000000000000000000000000000000000000001d00000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000640000000000000000000000000000000000000000000000000000000000000064",
    [
        "0x4a39dc06d4c0dbc64b70af90fd698a233a518aa5d07e595d983b8c0526c8f7fb",
        "0x000000000000000000000000a519711c25a631e55a6eac19d1f2858c97a86a95",
        "0x000000000000000000000000a519711c25a631e55a6eac19d1f2858c97a86a95",
        "0x00000000000000000000000076e1f3de45793f5b0263f39178db54ffe479291d",
    ]
);

Search Terms
ArrayCoder memory AnonymousCoder
@arvola arvola added the investigate Under investigation and may be a bug. label Apr 19, 2021
@ricmoo ricmoo added on-deck This Enhancement or Bug is currently being worked on. enhancement New feature or improvement. and removed investigate Under investigation and may be a bug. labels Apr 20, 2021
ricmoo added a commit that referenced this issue Apr 20, 2021
@ricmoo
Fail early for ABI decoding that will obviously run out of data (#1486).
51f0e1a
@ricmoo
Copy link
Member

ricmoo commented Apr 20, 2021

This should be fixed in 5.1.3. Can you try it out and let me know? Thanks! :)

@ricmoo ricmoo added fixed/complete This Bug is fixed or Enhancement is complete and published. and removed on-deck This Enhancement or Bug is currently being worked on. labels Apr 20, 2021
@arvola
Copy link
Author

arvola commented Apr 20, 2021

Confirmed fixed with the update. Thank you.

@arvola arvola closed this as completed Apr 20, 2021
pull bot pushed a commit to shapeshift/ethers.js that referenced this issue Jun 4, 2021
@ricmoo @pull
Fail early for ABI decoding that will obviously run out of data (ethe…
23b0d92 
…rs-io#1486).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or improvement. fixed/complete This Bug is fixed or Enhancement is complete and published.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arvola @ricmoo