aptos-core icon indicating copy to clipboard operation
aptos-core copied to clipboard

Published 20 hours ago verified publisher icon aptos-labs

[Bug] Large function type only caught by paranoid mode

Open wrwg opened this issue 6 months ago • 3 comments
trafficstars

The following PoC throws TOO_MANY_TYPE_NODES invariant violation error in create_vec_ty -> check. But if we turn off paranoid mode it will simply allow constructing types exceeding the max node limit:

module 0x66::work {
    use 0x1::vector;

    public entry fun foo() {
        let _: vector<|u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64,u64| has drop> = vector::empty();
    }
}

Reported by OtterSec.

wrwg avatar Apr 29 '25 04:04 wrwg