From 843ba0476e288fa64efb88f654abf7ce14f3f0b0 Mon Sep 17 00:00:00 2001 From: Charles Cooper Date: Thu, 18 Jan 2024 11:19:34 -0500 Subject: [PATCH 1/3] fix concat buffer bug --- .../builtins/codegen/test_concat.py | 19 +++++++++++++++++++ vyper/builtins/functions.py | 11 +++++------ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/tests/functional/builtins/codegen/test_concat.py b/tests/functional/builtins/codegen/test_concat.py index 5558138551..2afd2f8b95 100644 --- a/tests/functional/builtins/codegen/test_concat.py +++ b/tests/functional/builtins/codegen/test_concat.py @@ -55,6 +55,25 @@ def krazykonkat(z: Bytes[10]) -> Bytes[25]: print("Passed third concat test") +def test_concat_buffer(get_contract): + # GHSA-2q8v-3gqq-4f8p + code = """ +@internal +def bar() -> uint256: + sss: String[2] = concat("a", "b") + return 1 + + +@external +def foo() -> int256: + a: int256 = -1 + b: uint256 = self.bar() + return a + """ + c = get_contract(code) + assert c.foo() == -1 + + def test_concat_bytes32(get_contract_with_gas_estimation): test_concat_bytes32 = """ @external diff --git a/vyper/builtins/functions.py b/vyper/builtins/functions.py index 4f8101dfbe..8ee6f5fd76 100644 --- a/vyper/builtins/functions.py +++ b/vyper/builtins/functions.py @@ -543,13 +543,12 @@ def build_IR(self, expr, context): else: ret_typ = BytesT(dst_maxlen) + # respect API of copy_bytes + bufsize = dst_maxlen + 32 + buf = context.new_internal_variable(BytesT(bufsize)) + # Node representing the position of the output in memory - dst = IRnode.from_list( - context.new_internal_variable(ret_typ), - typ=ret_typ, - location=MEMORY, - annotation="concat destination", - ) + dst = IRnode.from_list(buf, typ=ret_typ, location=MEMORY, annotation="concat destination") ret = ["seq"] # stack item representing our current offset in the dst buffer From 50b50cd69107ddc343bb34cb6f5f288b32817cd6 Mon Sep 17 00:00:00 2001 From: Charles Cooper Date: Thu, 18 Jan 2024 12:22:04 -0500 Subject: [PATCH 2/3] add another poc (from the ghsa) --- .../functional/builtins/codegen/test_concat.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/functional/builtins/codegen/test_concat.py b/tests/functional/builtins/codegen/test_concat.py index 2afd2f8b95..bc52ed0017 100644 --- a/tests/functional/builtins/codegen/test_concat.py +++ b/tests/functional/builtins/codegen/test_concat.py @@ -74,6 +74,24 @@ def foo() -> int256: assert c.foo() == -1 +def test_concat_buffer2(get_contract): + # GHSA-2q8v-3gqq-4f8p + code = """ +i: immutable(int256) + +@external +def __init__(): + i = -1 + s: String[2] = concat("a", "b") + +@external +def foo() -> int256: + return i + """ + c = get_contract(code) + assert c.foo() == -1 + + def test_concat_bytes32(get_contract_with_gas_estimation): test_concat_bytes32 = """ @external From 80f409e788b0d5366704ff13239e57c7ee7b8d12 Mon Sep 17 00:00:00 2001 From: Charles Cooper Date: Thu, 18 Jan 2024 12:36:01 -0500 Subject: [PATCH 3/3] add another poc per review --- .../builtins/codegen/test_concat.py | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/tests/functional/builtins/codegen/test_concat.py b/tests/functional/builtins/codegen/test_concat.py index bc52ed0017..7354515989 100644 --- a/tests/functional/builtins/codegen/test_concat.py +++ b/tests/functional/builtins/codegen/test_concat.py @@ -92,6 +92,33 @@ def foo() -> int256: assert c.foo() == -1 +def test_concat_buffer3(get_contract): + # GHSA-2q8v-3gqq-4f8p + code = """ +s: String[1] +s2: String[33] +s3: String[34] + +@external +def __init__(): + self.s = "a" + self.s2 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" # 33*'a' + +@internal +def bar() -> uint256: + self.s3 = concat(self.s, self.s2) + return 1 + +@external +def foo() -> int256: + i: int256 = -1 + b: uint256 = self.bar() + return i + """ + c = get_contract(code) + assert c.foo() == -1 + + def test_concat_bytes32(get_contract_with_gas_estimation): test_concat_bytes32 = """ @external