fix(sol-types): overflow in abi decoder (#982)

DaniPopes · web-flow · commit 476462362ac5 · 2025-07-22T10:42:12.000+02:00
diff --git a/crates/sol-types/src/abi/decoder.rs b/crates/sol-types/src/abi/decoder.rs
@@ -147,7 +147,8 @@ impl<'de> Decoder<'de> {
     /// advancing the offset.
     #[inline]
     pub fn peek_len_at(&self, offset: usize, len: usize) -> Result<&'de [u8], Error> {
-        self.peek(offset..offset + len)
+        let end = offset.checked_add(len).ok_or(Error::Overrun)?;
+        self.peek(offset..end)
     }
 
     /// Peek a slice of size `len` from the buffer without advancing the offset.
@@ -280,6 +281,7 @@ pub fn decode_sequence<'de, T: TokenSeq<'de>>(data: &'de [u8]) -> Result<T> {
 
 #[cfg(test)]
 mod tests {
+    use super::*;
     use crate::{SolType, SolValue, sol, sol_data, utils::pad_usize};
     use alloc::string::ToString;
     use alloy_primitives::{Address, B256, U256, address, bytes, hex};
@@ -720,4 +722,15 @@ mod tests {
 
         assert_eq!(<Ty as SolType>::abi_decode(&encoded).unwrap(), ty);
     }
+
+    #[test]
+    fn offset_overflow() {
+        let encoded = hex!(
+            "0000000000000000000000000000000000000000000000000000000000000020"
+            "000000000000000000000000000000000000000000000000ffffffffffffffff"
+            "0000000000000000000000000000000000000000000000000000000000000000"
+        );
+        let err = <sol_data::String as SolType>::abi_decode(&encoded).unwrap_err();
+        assert_eq!(err, Error::Overrun);
+    }
 }
diff --git a/crates/sol-types/src/impl_core.rs b/crates/sol-types/src/impl_core.rs
@@ -48,7 +48,7 @@ where
     Ok(unsafe { array_assume_init(array) })
 }
 
-/// [`MaybeUninit::slice_assume_init_mut`]
+/// `MaybeUninit::slice_assume_init_mut`
 #[inline(always)]
 unsafe fn slice_assume_init_mut<T>(slice: &mut [MaybeUninit<T>]) -> &mut [T] {
     // SAFETY: similar to safety notes for `slice_get_ref`, but we have a
diff --git a/crates/sol-types/src/utils.rs b/crates/sol-types/src/utils.rs
@@ -11,7 +11,7 @@
 
 use crate::{Error, Result, Word};
 
-const USIZE_BYTES: usize = usize::BITS as usize / 8;
+const USIZE_BYTES: usize = size_of::<usize>();
 
 /// Calculates the padded length of a slice by rounding its length to the next
 /// word.

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ where`
`48`	`48`	`Ok(unsafe { array_assume_init(array) })`
`49`	`49`	`}`
`50`	`50`
`51`		-/// [`MaybeUninit::slice_assume_init_mut`]
	`51`	+/// `MaybeUninit::slice_assume_init_mut`
`52`	`52`	`#[inline(always)]`
`53`	`53`	`unsafe fn slice_assume_init_mut<T>(slice: &mut [MaybeUninit<T>]) -> &mut [T] {`
`54`	`54`	// SAFETY: similar to safety notes for `slice_get_ref`, but we have a