Skinny Licorice Ostrich
Medium
Functions like verify do not validate the lengths of the proof and target_circuit_final_pair arrays.
Functions like verify do not validate the lengths of the proof and target_circuit_final_pair arrays.
function verify(uint256[] calldata proof, uint256[] calldata target_circuit_final_pair) public view { uint256[6] memory instances; instances[0] = target_circuit_final_pair[0] & ((1 << 136) - 1); instances[1] = (target_circuit_final_pair[0] >> 136) + ((target_circuit_final_pair[1] & 1) << 136); instances[2] = target_circuit_final_pair[2] & ((1 << 136) - 1); instances[3] = (target_circuit_final_pair[2] >> 136) + ((target_circuit_final_pair[3] & 1) << 136);
instances[4] = target_circuit_final_pair[4];
instances[5] = target_circuit_final_pair[5];
uint256 x0 = 0;
uint256 x1 = 0;
uint256 y0 = 0;
uint256 y1 = 0;
G1Point[] memory g1_points = new G1Point[](2);
G2Point[] memory g2_points = new G2Point[](2);
bool checked = false;
(x0, y0, x1, y1) = get_wx_wg(proof, instances);
g1_points[0].x = x0;
g1_points[0].y = y0;
g1_points[1].x = x1;
g1_points[1].y = y1;
g2_points[0] = get_verify_circuit_g2_s();
g2_points[1] = get_verify_circuit_g2_n();
checked = pairing(g1_points, g2_points);
require(checked);
g1_points[0].x = target_circuit_final_pair[0];
g1_points[0].y = target_circuit_final_pair[1];
g1_points[1].x = target_circuit_final_pair[2];
g1_points[1].y = target_circuit_final_pair[3];
g2_points[0] = get_target_circuit_g2_s();
g2_points[1] = get_target_circuit_g2_n();
checked = pairing(g1_points, g2_points);
require(checked);
}
}
If the arrays are shorter than expected, it could lead to out-of-bounds memory access.
Manual Review
validate the lengths of input arrays before processing