Skip to content

Commit 14e85ad

Browse files
livingrockriseslivingrockrises
committed
fix: STAA-8 boundry checks remediation commit i
1 parent 2f8d809 commit 14e85ad

File tree

1 file changed

+30
-0
lines changed

1 file changed

+30
-0
lines changed

src/lib/DataParserLib.sol

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,18 +24,33 @@ library DataParserLib {
2424
{
2525
uint256 p;
2626
assembly ("memory-safe") {
27+
let dataSize := calldatasize() // Get total calldata size
2728
p := packedData.offset
29+
30+
// Check if reading module address is within bounds
31+
if gt(add(p, 0x14), dataSize) { revert(0, 0) }
2832
module := shr(96, calldataload(p))
2933

3034
p := add(p, 0x14)
35+
// Check if reading moduleType is within bounds
36+
if gt(add(p, 0x20), dataSize) { revert(0, 0) }
3137
moduleType := calldataload(p)
3238

39+
// Check if reading moduleInitData length pointer (32 bytes) is within bounds
40+
if gt(add(add(p, 0x20), 0x20), dataSize) { revert(0, 0) }
3341
moduleInitData.length := shr(224, calldataload(add(p, 0x20)))
3442
moduleInitData.offset := add(p, 0x24)
43+
// Boundary Check: Ensure the calculated moduleInitData segment (offset + length)
44+
// does not exceed the actual calldata size. Revert if it does.
45+
if gt(add(moduleInitData.offset, moduleInitData.length), dataSize) { revert(0, 0) }
3546
p := add(moduleInitData.offset, moduleInitData.length)
3647

48+
// Check if reading enableModeSignature length is within bounds
49+
if gt(add(p, 0x20), dataSize) { revert(0, 0) }
3750
enableModeSignature.length := shr(224, calldataload(p))
3851
enableModeSignature.offset := add(p, 0x04)
52+
// Boundary Check: Ensure enableModeSignature segment doesn't exceed calldata
53+
if gt(add(enableModeSignature.offset, enableModeSignature.length), dataSize) { revert(0, 0) }
3954
p := sub(add(enableModeSignature.offset, enableModeSignature.length), packedData.offset)
4055
}
4156
userOpSignature = packedData[p:];
@@ -51,17 +66,32 @@ library DataParserLib {
5166
// equivalent of:
5267
// (types, initDatas) = abi.decode(initData,(uint[],bytes[]))
5368
assembly ("memory-safe") {
69+
let dataSize := calldatasize() // Get total calldata size
5470
let offset := initData.offset
5571
let baseOffset := offset
72+
73+
// Check if reading first pointer is within bounds
74+
if gt(add(offset, 0x20), dataSize) { revert(0, 0) }
5675
let dataPointer := add(baseOffset, calldataload(offset))
5776

77+
// Check if reading types array length is within bounds
78+
if gt(add(dataPointer, 0x20), dataSize) { revert(0, 0) }
5879
types.offset := add(dataPointer, 32)
5980
types.length := calldataload(dataPointer)
81+
// Check if types array data doesn't exceed calldata
82+
if gt(add(types.offset, mul(types.length, 32)), dataSize) { revert(0, 0) }
6083
offset := add(offset, 32)
6184

85+
// Check if reading second pointer is within bounds
86+
if gt(add(offset, 0x20), dataSize) { revert(0, 0) }
6287
dataPointer := add(baseOffset, calldataload(offset))
88+
89+
// Check if reading initDatas array length is within bounds
90+
if gt(add(dataPointer, 0x20), dataSize) { revert(0, 0) }
6391
initDatas.offset := add(dataPointer, 32)
6492
initDatas.length := calldataload(dataPointer)
93+
// Check if initDatas array data doesn't exceed calldata
94+
if gt(add(initDatas.offset, mul(initDatas.length, 32)), dataSize) { revert(0, 0) }
6595
}
6696
}
6797
}

0 commit comments

Comments
 (0)