Potential out-of-bounds read in C API header checks (Serialization_IsCompatibleVersion/IsValidHeader)

[CutieDeng]

Summary

The C API functions Serialization_IsCompatibleVersion and Serialization_IsValidHeader appear to read a full SEALHeader from user-provided memory even when the caller-provided size is not equal to sizeof(SEALHeader).

Affected code

• native/src/seal/c/serialization.cpp
  • Serialization_IsCompatibleVersion
  • Serialization_IsValidHeader

Current logic sets *result = false when size mismatch is detected, but does not return early before memcpy(..., sizeof(SEALHeader)).

Why this is risky

If a caller passes a small buffer (e.g., size = 1) and a pointer to that small allocation, the function may perform an out-of-bounds read of up to sizeof(SEALHeader) bytes. This can lead to crashes (DoS) and is generally unsafe for untrusted FFI inputs.

Suggested fix

In both functions, return immediately when size does not match the expected header size. For example:

if (size != static_cast<uint64_t>(sizeof(Serialization::SEALHeader)))
{
    *result = false;
    return E_INVALIDARG; // or return S_OK while preserving false
}

Alternatively, use the already-hardened core path (Serialization::LoadHeader) style checks before any copy from caller memory.

Notes

I noticed this while auditing commit 7a931d55 locally. Happy to send a PR if maintainers agree with the direction.