Check inner payload length in SignedPayload::from_payload to avoid ov…

…erflow (#59)

Co-authored-by: Leigh McCulloch <[email protected]>

src/ed25519.rs

@@ -248,8 +248,9 @@ impl SignedPayload {
     pub fn from_payload(payload: &[u8]) -> Result<Self, DecodeError> {
         // 32-byte for the signer, 4-byte for the payload size, then either 4-byte for the
         // min or 64-byte for the max payload
+        const MAX_INNER_PAYLOAD_LENGTH: u32 = 64;
         const MIN_LENGTH: usize = 32 + 4 + 4;
-        const MAX_LENGTH: usize = 32 + 4 + 64;
+        const MAX_LENGTH: usize = 32 + 4 + (MAX_INNER_PAYLOAD_LENGTH as usize);
         let payload_len = payload.len();
         if !(MIN_LENGTH..=MAX_LENGTH).contains(&payload_len) {
             return Err(DecodeError::Invalid);
@@ -259,6 +260,9 @@ impl SignedPayload {
                 .try_into()
                 .map_err(|_| DecodeError::Invalid)?,
         );
+        if inner_payload_len > MAX_INNER_PAYLOAD_LENGTH {
+            return Err(DecodeError::Invalid);
+        }
         if (inner_payload_len + (4 - inner_payload_len % 4) % 4) as usize != payload_len - 32 - 4 {
             return Err(DecodeError::Invalid);
         }

tests/tests.rs

@@ -239,6 +239,17 @@ fn test_valid_contract() {
     );
 }
 
+#[test]
+fn test_signed_payload_from_string_doesnt_panic_with_unbounded_size() {
+    let payload: Vec<u8> = vec![
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    ];
+    let r = stellar_strkey::ed25519::SignedPayload::from_payload(&payload);
+    assert_eq!(r, Err(DecodeError::Invalid));
+}
+
 proptest! {
     #[test]
     fn test_public_key_ed25519_from_string_doesnt_panic(data: String) {