♻️ Add extra check for decodeBatch (#1244)

Co-authored-by: rholterhus <[email protected]>
Vectorized · Dec 19, 2024 · 740812c · 740812c
1 parent 0dfa997
commit 740812c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/src/accounts/LibERC7579.sol b/src/accounts/LibERC7579.sol
@@ -155,7 +155,7 @@ library LibERC7579 {
             let e := sub(add(executionData.offset, executionData.length), 0x20)
             pointers.offset := add(s, 0x20)
             pointers.length := calldataload(s)
-            if or(shr(64, u), gt(s, e)) {
+            if or(shr(64, u), gt(add(s, shl(5, pointers.length)), e)) {
                 mstore(0x00, 0xba597e7e) // `DecodingError()`.
                 revert(0x1c, 0x04)
             }

diff --git a/test/LibERC7579.t.sol b/test/LibERC7579.t.sol
@@ -252,6 +252,34 @@ contract LibERC7579Test is SoladyTest {
         return pointers.length;
     }
 
+    function testDecodeBatchEdgeCase2() public {
+        (bool success,) = address(this).call(
+            abi.encodePacked(
+                bytes4(keccak256("propose2(bytes32,bytes,uint256)")),
+                hex"0100000000007821000100000000000000000000000000000000000000000000",
+                hex"0000000000000000000000000000000000000000000000000000000000000060", // offset to executionData
+                _randomUniform(),
+                uint256(32 * 5), // length of executionData (THIS SHOULD ACTUALLY BE 32 * 6 BUT WE REDUCE TO 32 * 5)
+                hex"0000000000000000000000000000000000000000000000000000000000000020", // offset to pointers array
+                hex"0000000000000000000000000000000000000000000000000000000000000004", // pointers array length
+                hex"0000000000000000000000000000000000000000000000000000000000000000", // offset to pointers[0]
+                hex"0000000000000000000000000000000000000000000000000000000000000000", // offset to pointers[1]
+                hex"0000000000000000000000000000000000000000000000000000000000000000", // offset to pointers[2]
+                hex"0000000000000000000000000000000000000000000000000000000000000000" // offset to pointers[3]
+            )
+        );
+        assertFalse(success);
+    }
+
+    function propose2(bytes32, bytes calldata executionData, uint256)
+        public
+        pure
+        returns (uint256)
+    {
+        bytes32[] memory pointers = LibERC7579.decodeBatch(executionData);
+        return pointers.length;
+    }
+
     function abiDecodeBatch(S calldata s) public pure returns (uint256) {
         Call[] memory pointers = abi.decode(s.executionData, (Call[]));
         return pointers.length;