Category: Coding Mistakes
Parsing errors ignored in GetHexArray
Low Severity
Low Impact
Low Likelihood
Description
The public GetHexArray
function is implemented in common/utils/hex.go as follows:
func GetHexArray(hexStr string, maxLen int) (res []frontend.Variable) {
for i := 0; i < maxLen; i++ {
if i < len(hexStr) {
intValue, _ := strconv.ParseInt(string(hexStr[i]), 16, 64)
res = append(res, intValue)
} else {
res = append(res, 0)
}
}
return
}
When the character being parsed with strconv.ParseInt
is not a valid hexadecimal character, an error will be returned, and the value returned will be zero. However, GetHexArray
ignores the error and uses the zero value anyway.
Impact
The GetHexArray
function will use zero for characters that were not parsable as hexadecimal characters. Users calling GetHexArray
likely do not intend this behavior, so this can lead to unintended results.
Recommendations
We recommend to check the returned error and panic if it is not nil
.
Remediation
This issue has been acknowledged by Brevis, and a fix was implemented in commit 4b5029f4↗.