The latest release of Solidity version 0.4.25 fixes two important bugs. Another important bug was previously fixed in version 0.4.22 but was only recently discovered to exist.
Please note that the Ethereum Foundation operates a bounty program specifically for the code generator part of Solidity.
Cleanup of Exponent in Exponentiation
Summary: The use of short types in the exponent of an exponentiation operation can lead to invalid results. This bug has been fixed in version 0.4.25.
The Solidity language allows integer types that are shorter than 256 bits, even though the Ethereum Virtual Machine only recognizes types of exactly 256 bits. Due to this, higher order bits must be set to zero on occasion. For most operations, whether these bits are set to zero or not is irrelevant. However, the Solidity compiler delays this cleanup until it is necessary in order to save gas.
In a very specific circumstance where the exponent of the ** operator has a type that is shorter than 256 bits, but not shorter than the type of the base and contains dirty higher order bits, an incorrect result can occur. It is important to note that literal exponents like in x ** 2 as well as when the type of the base is uint256 or int256 are not affected.
It should be noted that a function parameter can have dirty higher order bits if called by a malicious entity. The same holds true for data returned from functions of contracts deployed by malicious entities. After screening a large number of contracts, it is believed that this bug only affects a very small number of smart contracts, if any at all.
This bug was discovered by nweller.
Memory Corruption in Multi-Dimensional Array Decoder
Summary: Calling functions of other contracts that return multi-dimensional fixed-size arrays can result in memory corruption. This bug was introduced in version 0.1.4 and was fixed in version 0.4.22.
If Solidity code calls a function that returns a multi-dimensional fixed-size array, the returned ABI-encoded data must be converted to Solidity’s internal representation of arrays. The decoder did not take this difference into account, which can cause memory corruption if the return values are accessed. The bug is only in the component that decodes a multi-dimensional fixed-size array returned from a function call from Solidity.
This bug was discovered by jmahhh.
Invalid Encoding of Structs in Events
Summary: Structs as event parameters are not handled properly. This bug was introduced in version 0.4.17 and was fixed in version 0.4.25.
Structs were not meant to be supported as event parameters without the new ABI encoder. The compiler did accept them but encoded their memory address instead of their actual value. Now, structs are properly disallowed for the old encoder and if they are indexed also for the new encoder.