Fix potential array out of bounds in the runtime (#437)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
hypermodeinc · Oct 8, 2024 · 1ed5256 · 1ed5256
1 parent caafc0a
commit 1ed5256
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@
 - Add models to Modus AssemblyScript SDK [#428](https://github.com/hypermodeinc/modus/pull/428)
 - Update Readme files [#432](https://github.com/hypermodeinc/modus/pull/432)
 - Fix vulnerability in AssemblyScript SDK install script [#435](https://github.com/hypermodeinc/modus/pull/435)
+- Fix potential array out of bounds in the runtime [#437](https://github.com/hypermodeinc/modus/pull/437)
 
 ## 2024-10-02 - Version 0.12.7
 

diff --git a/runtime/languages/golang/typeinfo.go b/runtime/languages/golang/typeinfo.go
@@ -12,6 +12,7 @@ package golang
 import (
 	"context"
 	"fmt"
+	"math"
 	"reflect"
 	"strconv"
 	"strings"
@@ -117,7 +118,15 @@ func (lti *langTypeInfo) ArrayLength(typ string) (int, error) {
 		return -1, fmt.Errorf("invalid array type: %s", typ)
 	}
 
-	return strconv.Atoi(size)
+	parsedSize, err := strconv.Atoi(size)
+	if err != nil {
+		return -1, err
+	}
+	if parsedSize < 0 || parsedSize > math.MaxUint32 {
+		return -1, fmt.Errorf("array size out of bounds: %s", size)
+	}
+
+	return parsedSize, nil
 }
 
 func (lti *langTypeInfo) IsBooleanType(typ string) bool {