CVE-2026-41197

Description

Noir programs can invoke external functions through foreign calls. When compiling to Brillig bytecode, the SSA instructions are processed block-by-block in BrilligBlock::compile_block(). When the compiler encounters an Instruction::Call with a Value::ForeignFunction target, it invokes codegen_call() in brilligcall/codegen_call.rs, which dispatches to convertssaforeign_call().

Before emitting the foreign call opcode, the compiler must pre-allocate memory for any array results the call will return. This happens through allocateexternalcall_results(), which iterates over the result types. For Type::Array results, it delegates to allocateforeigncallresultarray() to recursively allocate memory on the heap for nested arrays.

The BrilligArray struct is the internal representation of a Noir array in Brillig IR. Its size field represents the semi-flattened size, the total number of memory slots the array occupies, accounting for the fact that composite types like tuples consume multiple slots per element. This size is computed by computearraylength() in brilligblockvariables.rs:

pub(crate) fn compute_array_length(item_typ: &CompositeType, elem_count: usize) -> usize {
    item_typ.len() * elem_count
}

For the outer array, allocateexternalcall_results() correctly uses define_variable(), which internally calls allocatevaluewith_type(). This function applies the formula above, producing the correct semi-flattened size.

However, for nested arrays, allocateforeigncallresultarray() contains a bug. When it encounters a nested Type::Array(types, nested_size), it calls:

Type::Array(_, nested_size) => { 
	let inner_array = self.brillig_context.allocate_brillig_array(*nested_size as usize);
	// ....
}

The pattern Type::Array(, nestedsize) discards the inner types with _ and uses only nested_size, the semantic length of the nested array (the number of logical elements), not the semi-flattened size. For simple element types this works correctly, but for composite element types it under-allocates. Consider a nested array of type [(u32, u32); 3]:

•   Semantic length: 3 (three tuples)
•   Element size: 2 (each tuple has two fields)
•   Required semi-flattened size: 6 memory slots

The current code passes 3 to allocatebrilligarray(), which then calls codegeninitializearray(). This function allocates array.size + ARRAYMETACOUNT slots, only 4 slots instead of the required 7 (6 data + 1 metadata). When the VM executes the foreign call and writes 6 values plus metadata, it overwrites adjacent heap memory.

Impact

Foreign calls returning nested arrays of tuples or other composite types corrupt the Brillig VM heap.

Recommendation

Multiply the semantic length by the number of element types when allocating nested arrays. Extract the inner types from the pattern and replace the nested_size argument to allocatebrilligarray() with types.len() * nested_size to compute the semi-flattened size. Alternatively, reuse the existing computearraylength() helper function to maintain consistency with outer array allocation.