From 2d2a7f23471270392baf64855ae205c287888e7d Mon Sep 17 00:00:00 2001 From: Buldram Date: Mon, 22 Jul 2024 01:11:14 -0400 Subject: [PATCH] Fix out-of-bounds slicing in std/varints (#23868) Corrects a slicing mistake in the `std/varints` implementation which caused it to fail when writing large numbers into buffers smaller than 10..13-bytes, now 9-byte buffers are sufficient as the documentation states. --- lib/std/varints.nim | 12 ++++++------ tests/stdlib/tvarints.nim | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/std/varints.nim b/lib/std/varints.nim index 0d18b90699..32fe2fffb0 100644 --- a/lib/std/varints.nim +++ b/lib/std/varints.nim @@ -82,29 +82,29 @@ proc writeVu64*(z: var openArray[byte], x: uint64): int = z[3] = cast[uint8](y) return 4 z[0] = 251 - varintWrite32(toOpenArray(z, 1, z.high-1), y) + varintWrite32(toOpenArray(z, 1, 4), y) return 5 if w <= 255: z[0] = 252 z[1] = cast[uint8](w) - varintWrite32(toOpenArray(z, 2, z.high-2), y) + varintWrite32(toOpenArray(z, 2, 5), y) return 6 if w <= 65535: z[0] = 253 z[1] = cast[uint8](w shr 8) z[2] = cast[uint8](w) - varintWrite32(toOpenArray(z, 3, z.high-3), y) + varintWrite32(toOpenArray(z, 3, 6), y) return 7 if w <= 16777215: z[0] = 254 z[1] = cast[uint8](w shr 16) z[2] = cast[uint8](w shr 8) z[3] = cast[uint8](w) - varintWrite32(toOpenArray(z, 4, z.high-4), y) + varintWrite32(toOpenArray(z, 4, 7), y) return 8 z[0] = 255 - varintWrite32(toOpenArray(z, 1, z.high-1), w) - varintWrite32(toOpenArray(z, 5, z.high-5), y) + varintWrite32(toOpenArray(z, 1, 4), w) + varintWrite32(toOpenArray(z, 5, 8), y) return 9 proc sar(a, b: int64): int64 = diff --git a/tests/stdlib/tvarints.nim b/tests/stdlib/tvarints.nim index 35f1cd8498..f9624ee5be 100644 --- a/tests/stdlib/tvarints.nim +++ b/tests/stdlib/tvarints.nim @@ -33,7 +33,7 @@ block: doAssert cast[float64](got) == test block: - var hugeIntArray: array[50, byte] + var hugeIntArray: array[9, byte] var readedInt: uint64 template chk(a) =