From f23d5c4d226326577fb793941bdeab4d005da7df Mon Sep 17 00:00:00 2001
From: Emmanuel T Odeke <emmanuel@orijtech.com>
Date: Sat, 2 Dec 2023 06:11:33 -0800
Subject: [PATCH] refactor(x/tx/decode): bulletproof against
 protowire.ConsumeTag potential varint overflows (#18611)

---
 x/tx/decode/adr027.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/x/tx/decode/adr027.go b/x/tx/decode/adr027.go
index 0588acbaa9..f6d46c223b 100644
--- a/x/tx/decode/adr027.go
+++ b/x/tx/decode/adr027.go
@@ -24,6 +24,14 @@ func rejectNonADR027TxRaw(txBytes []byte) error {
 		if m < 0 {
 			return fmt.Errorf("invalid length; %w", protowire.ParseError(m))
 		}
+
+		// Paranoia from possible varint decoding which can trivially
+		// be wrong due to the precarious nature of the format being tricked:
+		// https://cyber.orijtech.com/advisory/varint-decode-limitless
+		if m > len(txBytes) {
+			return fmt.Errorf("invalid length from decoding (%d) > len(txBytes) (%d)", m, len(txBytes))
+		}
+
 		// TxRaw only has bytes fields.
 		if wireType != protowire.BytesType {
 			return fmt.Errorf("expected %d wire type, got %d", protowire.BytesType, wireType)