diff --git a/chain/types/ethtypes/rlp.go b/chain/types/ethtypes/rlp.go index 7943cba11..15cee4a22 100644 --- a/chain/types/ethtypes/rlp.go +++ b/chain/types/ethtypes/rlp.go @@ -134,7 +134,7 @@ func decodeRLP(data []byte) (res interface{}, consumed int, err error) { return nil, 0, err } totalLen := 1 + strLenInBytes + strLen - if totalLen > len(data) { + if totalLen > len(data) || totalLen < 0 { return nil, 0, xerrors.Errorf("invalid rlp data: out of bound while parsing string") } return data[1+strLenInBytes : totalLen], totalLen, nil @@ -160,7 +160,9 @@ func decodeLength(data []byte, lenInBytes int) (length int, err error) { if decodedLength < 0 { return 0, xerrors.Errorf("invalid rlp data: negative string length") } - if lenInBytes+int(decodedLength) > len(data) { + + totalLength := lenInBytes + int(decodedLength) + if totalLength < 0 || totalLength > len(data) { return 0, xerrors.Errorf("invalid rlp data: out of bound while parsing list") } return int(decodedLength), nil diff --git a/chain/types/ethtypes/rlp_test.go b/chain/types/ethtypes/rlp_test.go index 58f7e4178..0ce6e15d9 100644 --- a/chain/types/ethtypes/rlp_test.go +++ b/chain/types/ethtypes/rlp_test.go @@ -148,11 +148,12 @@ func TestDecodeNegativeLength(t *testing.T) { mustDecodeHex("0xbfffffffffffffff0041424344"), mustDecodeHex("0xc1bFFF1111111111111111"), mustDecodeHex("0xbFFF11111111111111"), + mustDecodeHex("0xbf7fffffffffffffff41424344"), } for _, tc := range testcases { _, err := DecodeRLP(tc) - require.Error(t, err, "invalid rlp data: negative string length") + require.ErrorContains(t, err, "invalid rlp data") } }