From 5b6534fd566c51f9f1b0f699bdc1031e42070d69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20D=E2=80=99Aquino?= Date: Fri, 25 Jul 2025 15:02:41 -0700 Subject: [PATCH] Fix stack corruption in bech32 parsing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit fixes a stack corruption issue caused by an off-by-one error in one of the functions responsible for parsing bech32 entities. Changelog-None Signed-off-by: Daniel D’Aquino --- nostrdb/src/bolt11/bech32.c | 4 +++- nostrdb/src/nostr_bech32.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/nostrdb/src/bolt11/bech32.c b/nostrdb/src/bolt11/bech32.c index e1c9e183..5b335b98 100644 --- a/nostrdb/src/bolt11/bech32.c +++ b/nostrdb/src/bolt11/bech32.c @@ -104,7 +104,9 @@ bech32_encoding bech32_decode_len(char* hrp, uint8_t *data, size_t *data_len, co ++(*data_len); } hrp_len = input_len - (1 + *data_len); - if (hrp_len > max_hrp_len) + // Maximum amount of text content is buffer length - 1 byte, to account for the null-terminator + int max_hrp_content_len = max_hrp_len - 1; + if (hrp_len > max_hrp_content_len) return BECH32_ENCODING_NONE; if (1 + *data_len >= input_len || *data_len < 6) { return BECH32_ENCODING_NONE; diff --git a/nostrdb/src/nostr_bech32.c b/nostrdb/src/nostr_bech32.c index 10aba8ab..1affb1af 100644 --- a/nostrdb/src/nostr_bech32.c +++ b/nostrdb/src/nostr_bech32.c @@ -307,7 +307,7 @@ int parse_nostr_bech32(unsigned char *buf, int buflen, unsigned char *start; size_t parsed_len, u5_out_len, u8_out_len; enum nostr_bech32_type type; -#define MAX_PREFIX 8 + #define MAX_PREFIX 9 // 8 bytes for the text, 1 byte for the null terminator struct cursor cur, bech32, u8; make_cursor(buf, buf + buflen, &cur);