Fix oppushdata overflow bug (#22)

libsv · May 6, 2021 · 711c7a8 · 711c7a8
1 parent 80bf78a
commit 711c7a8
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 13 deletions.
diff --git a/bscript/oppushdata.go b/bscript/oppushdata.go
@@ -90,37 +90,51 @@ func DecodeParts(b []byte) ([][]byte, error) {
 			if len(b) < 2 {
 				return r, errors.New("not enough data")
 			}
-			l := uint64(b[1])
-			if len(b) < int(2+l) {
+
+			l := int(b[1])
+			b = b[2:]
+
+			if len(b) < l {
 				return r, errors.New("not enough data")
 			}
-			part := b[2 : 2+l]
+
+			part := b[:l]
 			r = append(r, part)
-			b = b[2+l:]
+			b = b[l:]
 
 		case OpPUSHDATA2:
 			if len(b) < 3 {
 				return r, errors.New("not enough data")
 			}
-			l := binary.LittleEndian.Uint16(b[1:])
-			if len(b) < int(3+l) {
+
+			l := int(binary.LittleEndian.Uint16(b[1:]))
+
+			b = b[3:]
+
+			if len(b) < l {
 				return r, errors.New("not enough data")
 			}
-			part := b[3 : 3+l]
+
+			part := b[:l]
 			r = append(r, part)
-			b = b[3+l:]
+			b = b[l:]
 
 		case OpPUSHDATA4:
 			if len(b) < 5 {
 				return r, errors.New("not enough data")
 			}
-			l := binary.LittleEndian.Uint32(b[1:])
-			if len(b) < int(5+l) {
+
+			l := int(binary.LittleEndian.Uint32(b[1:]))
+
+			b = b[5:]
+
+			if len(b) < l {
 				return r, errors.New("not enough data")
 			}
-			part := b[5 : 5+l]
+
+			part := b[:l]
 			r = append(r, part)
-			b = b[5+l:]
+			b = b[l:]
 
 		default:
 			if b[0] >= 0x01 && b[0] <= OpPUSHDATA4 {

diff --git a/bscript/oppushdata_test.go b/bscript/oppushdata_test.go
@@ -4,8 +4,9 @@ import (
 	"encoding/hex"
 	"testing"
 
-	"github.com/libsv/go-bt/bscript"
 	"github.com/stretchr/testify/assert"
+
+	"github.com/libsv/go-bt/bscript"
 )
 
 func TestDecodeParts(t *testing.T) {
@@ -98,6 +99,31 @@ func TestDecodeParts(t *testing.T) {
 		assert.Equal(t, 0, len(decoded))
 	})
 
+	t.Run("invalid decode using OP_PUSHDATA2 - overflow", func(t *testing.T) {
+
+		b := make([]byte, 0)
+		b = append(b, bscript.OpPUSHDATA2)
+		b = append(b, 0xff)
+		b = append(b, 0xff)
+
+		bigScript := make([]byte, 0xffff)
+
+		b = append(b, bigScript...)
+
+		t.Logf("Script len is %d", len(b))
+
+		defer func() {
+			if r := recover(); r != nil {
+				t.Errorf("Panic detected: %v", r)
+			}
+		}()
+
+		_, err := bscript.DecodeParts(b)
+		if err != nil {
+			t.Error(err)
+		}
+	})
+
 	t.Run("invalid decode using OP_PUSHDATA4 - payload too small", func(t *testing.T) {
 
 		data := "testing the code OP_PUSHDATA4"