Skip to content

parse_nftoken_id slices by byte index; panics on non-ASCII 64-byte input #173

Description

@ckeshava

Description

parse_nftoken_id performs &nft_id[0..4], [4..8], [8..48], [48..56], [56..64] after a nft_id.len() != 64 check. NFT IDs are required to be ASCII hex, but the length guard uses byte-length, not char-count. A 64-byte non-ASCII UTF-8 input can land on a non-char-boundary and panic.

Location

Impact / Severity

Low.

Adversarial Agent Notes

Verdict: ACCEPT.

Metadata

Metadata

Assignees

No one assigned

    Labels

    AI TriageIssue reported via AI-assisted analysis; needs human triage

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions