backport Potential Out-of-Range Panic in UnmarshalJSON() of HexOrDeci…

…mal256 (#13551) Not sure if this is the right way of doing a backport, but this is a backport for erigontech/security#12
erigontech · Jan 24, 2025 · 898dbf7 · 898dbf7
1 parent 1de3742
commit 898dbf7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/common/math/big.go b/common/math/big.go
@@ -56,7 +56,7 @@ func NewHexOrDecimal256(x int64) *HexOrDecimal256 {
 // It is similar to UnmarshalText, but allows parsing real decimals too, not just
 // quoted decimal strings.
 func (i *HexOrDecimal256) UnmarshalJSON(input []byte) error {
-	if len(input) > 0 && input[0] == '"' {
+	if len(input) > 1 && input[0] == '"' {
 		input = input[1 : len(input)-1]
 	}
 	return i.UnmarshalText(input)

diff --git a/common/math/big_test.go b/common/math/big_test.go
@@ -19,9 +19,10 @@ package math
 import (
 	"bytes"
 	"encoding/hex"
-	"github.com/erigontech/erigon-lib/common"
 	"math/big"
 	"testing"
+
+	"github.com/erigontech/erigon-lib/common"
 )
 
 func TestHexOrDecimal256(t *testing.T) {
@@ -324,3 +325,9 @@ func TestExp(t *testing.T) {
 		}
 	}
 }
+
+func TestHexOrDecimal256UnmarshalJSON(t *testing.T) {
+	input := []byte{'"'}
+	var num HexOrDecimal256
+	_ = num.UnmarshalJSON(input)
+}