Merge pull request #2122 from rsksmart/fingerroot520-master-merge

FINGERROOT-5.2.0 -> master merge
rsksmart · Sep 6, 2023 · c6c1792 · c6c1792
2 parents 0714f7d + 14ab140
commit c6c1792
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/rskj-core/src/main/java/org/ethereum/util/RLP.java b/rskj-core/src/main/java/org/ethereum/util/RLP.java
@@ -416,7 +416,7 @@ public static RLPElement decodeFirstElement(@CheckForNull byte[] msgData, int po
         return decodeElement(msgData, position).getKey();
     }
 
-    private static Pair<RLPElement, Integer> decodeElement(byte[] msgData, int position) {
+    private static Pair<RLPElement, Integer> decodeElement(byte[] msgData, int position) { // NOSONAR
         int b0 = msgData[position] & 0xff;
 
         if (b0 >= 192) {
@@ -433,6 +433,10 @@ private static Pair<RLPElement, Integer> decodeElement(byte[] msgData, int posit
                 offset = 1 + nbytes;
             }
 
+            if (Long.compareUnsigned(length, Integer.MAX_VALUE) > 0) {
+                throw new RLPException("The current implementation doesn't support lengths longer than Integer.MAX_VALUE because that is the largest number of elements an array can have");
+            }
+
             if (position + length > msgData.length) {
                 throw new RLPException("The RLP byte array doesn't have enough space to hold an element with the specified length");
             }
@@ -492,6 +496,10 @@ private static int bytesToLength(byte[] bytes, int position, int size) {
             length += bytes[position + k] & 0xff;
         }
 
+        if (length < 0) {
+            throw new RLPException("The length of the RLP item can't be negative");
+        }
+
         return length;
     }
 

diff --git a/rskj-core/src/test/java/co/rsk/util/RLPTest.java b/rskj-core/src/test/java/co/rsk/util/RLPTest.java
@@ -977,7 +977,7 @@ void lengthOfLengthOfMaxIntegerDoesntOverflow() {
     void lengthOfLengthGreaterThanMaxIntegerOverflows() {
         try {
             // Integer.MAX_VALUE + 1
-            byte[] encoded = new byte[] { (byte)(183 + 4), (byte)0x80, (byte)0xff, (byte)0xff, (byte)0xff };
+            byte[] encoded = new byte[] { (byte)(192 + 55 + 4), (byte)0x7F, (byte)0xff, (byte)0xff, (byte)0xff };
             RLP.decodeBigInteger(encoded, 0);
             Assertions.fail();
         }
@@ -986,6 +986,19 @@ void lengthOfLengthGreaterThanMaxIntegerOverflows() {
         }
     }
 
+    @Test
+    void lengthOfLengthLessThanZero() {
+        try {
+            // Integer.MAX_VALUE + 1
+            byte[] encoded = new byte[] { (byte)(183 + 4), (byte)0x80, (byte)0xff, (byte)0xff, (byte)0xff };
+            RLP.decodeBigInteger(encoded, 0);
+            Assertions.fail();
+        }
+        catch (RLPException ex) {
+            Assertions.assertEquals("The length of the RLP item can't be negative", ex.getMessage());
+        }
+    }
+
     @Test
     void encodeDecodeInteger() {
         for (int k = 0; k < 2048; k++) {