From 871d1ba547b7cd35e70eddc2af90c195de0a3d26 Mon Sep 17 00:00:00 2001
From: Fridrik Asmundsson <fridrik01@gmail.com>
Date: Fri, 14 Jul 2023 11:49:50 +0000
Subject: [PATCH] fix: DecodeRLP can panic

---
 chain/types/ethtypes/rlp.go      |  3 +++
 chain/types/ethtypes/rlp_test.go | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/chain/types/ethtypes/rlp.go b/chain/types/ethtypes/rlp.go
index 049ea6fc4c2..7943cba11c6 100644
--- a/chain/types/ethtypes/rlp.go
+++ b/chain/types/ethtypes/rlp.go
@@ -157,6 +157,9 @@ func decodeLength(data []byte, lenInBytes int) (length int, err error) {
 	if err := binary.Read(r, binary.BigEndian, &decodedLength); err != nil {
 		return 0, xerrors.Errorf("invalid rlp data: cannot parse string length: %w", err)
 	}
+	if decodedLength < 0 {
+		return 0, xerrors.Errorf("invalid rlp data: negative string length")
+	}
 	if lenInBytes+int(decodedLength) > len(data) {
 		return 0, xerrors.Errorf("invalid rlp data: out of bound while parsing list")
 	}
diff --git a/chain/types/ethtypes/rlp_test.go b/chain/types/ethtypes/rlp_test.go
index bdbedff0052..58f7e417885 100644
--- a/chain/types/ethtypes/rlp_test.go
+++ b/chain/types/ethtypes/rlp_test.go
@@ -143,6 +143,19 @@ func TestDecodeList(t *testing.T) {
 	}
 }
 
+func TestDecodeNegativeLength(t *testing.T) {
+	testcases := [][]byte{
+		mustDecodeHex("0xbfffffffffffffff0041424344"),
+		mustDecodeHex("0xc1bFFF1111111111111111"),
+		mustDecodeHex("0xbFFF11111111111111"),
+	}
+
+	for _, tc := range testcases {
+		_, err := DecodeRLP(tc)
+		require.Error(t, err, "invalid rlp data: negative string length")
+	}
+}
+
 func TestDecodeEncodeTx(t *testing.T) {
 	testcases := [][]byte{
 		mustDecodeHex("0xdc82013a0185012a05f2008504a817c8008080872386f26fc1000000c0"),