When the input contains more accounts than the user has requested to be deserialized, and one of the excess ones is a dup, the input pointer is not adjusted correctly.
Compare the lines added by this commit to line 401: "input += 7; // padding". Since the input data layout does not depend on the number of accounts the user wants to deserialize, this adjustment by 7 bytes must happen in both branches.
(cherry picked from commit e02b4e1192)
Co-authored-by: Christian Machacek <39452430+machacekch@users.noreply.github.com>
This commit is contained in:
mergify[bot]
GitHub
@ -345,6 +345,8 @@ static bool sol_deserialize(
|
||||
input += MAX_PERMITTED_DATA_INCREASE;
|
||||
input = (uint8_t*)(((uint64_t)input + 8 - 1) & ~(8 - 1)); // padding
|
||||
input += sizeof(uint64_t);
|
||||
} else {
|
||||
input += 7; // padding
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user