From 83cb7725f505097b256b0798bb3467da8e3af0ee Mon Sep 17 00:00:00 2001 From: pcw109550 Date: Thu, 8 Feb 2024 14:25:36 +0900 Subject: [PATCH] Fix PreimageOracle off-by-one --- rvsol/src/PreimageOracle.sol | 4 ++-- rvsol/test/PreimageOracle.t.sol | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/rvsol/src/PreimageOracle.sol b/rvsol/src/PreimageOracle.sol index e7b35ba0..717dd814 100644 --- a/rvsol/src/PreimageOracle.sol +++ b/rvsol/src/PreimageOracle.sol @@ -114,8 +114,8 @@ contract PreimageOracle is IPreimageOracle { // len(sig) + len(partOffset) + len(preimage offset) = 4 + 32 + 32 = 0x44 size := calldataload(0x44) - // revert if part offset > size+8 (i.e. parts must be within bounds) - if gt(_partOffset, add(size, 8)) { + // revert if part offset >= size+8 (i.e. parts must be within bounds) + if iszero(lt(_partOffset, add(size, 8))) { // Store "PartOffsetOOB()" mstore(0, 0xfe254987) // Revert with "PartOffsetOOB()" diff --git a/rvsol/test/PreimageOracle.t.sol b/rvsol/test/PreimageOracle.t.sol index e74fbc57..7b825152 100644 --- a/rvsol/test/PreimageOracle.t.sol +++ b/rvsol/test/PreimageOracle.t.sol @@ -133,6 +133,16 @@ contract PreimageOracle_Test is Test { assertTrue(ok); } + /// @notice Tests that adding a global keccak256 pre-image at the part boundary reverts. + function test_loadKeccak256PreimagePart_partBoundary_reverts() public { + bytes memory preimage = hex"deadbeef"; + uint256 offset = preimage.length + 8; + + // TODO: remove magic errors + vm.expectRevert(0xfe254987); + oracle.loadKeccak256PreimagePart(offset, preimage); + } + /// @notice Tests that a pre-image cannot be set with an out-of-bounds offset. function test_loadLocalData_outOfBoundsOffset_reverts() public { bytes32 preimage = bytes32(uint256(0xdeadbeef));