fix: add length validation for blob sidecar deserialization (#4795)

envestcc · web-flow · commit f3455a7f61cc · 2026-03-16T22:27:33.000+08:00
diff --git a/action/blob_data.go b/action/blob_data.go
@@ -137,13 +137,22 @@ func FromProtoBlobTxSideCar(pb *iotextypes.BlobTxSidecar) (*types.BlobTxSidecar,
 		Proofs:      make([]kzg4844.Proof, len(pb.Proofs)),
 	}
 	for i := range pb.Blobs {
-		sidecar.Blobs[i] = *(*kzg4844.Blob)(pb.Blobs[i])
+		if len(pb.Blobs[i]) != len(kzg4844.Blob{}) {
+			return nil, errors.New("invalid blob length")
+		}
+		copy(sidecar.Blobs[i][:], pb.Blobs[i])
 	}
 	for i := range pb.Commitments {
-		sidecar.Commitments[i] = *(*kzg4844.Commitment)(pb.Commitments[i])
+		if len(pb.Commitments[i]) != len(kzg4844.Commitment{}) {
+			return nil, errors.New("invalid commitment length")
+		}
+		copy(sidecar.Commitments[i][:], pb.Commitments[i])
 	}
 	for i := range pb.Proofs {
-		sidecar.Proofs[i] = *(*kzg4844.Proof)(pb.Proofs[i])
+		if len(pb.Proofs[i]) != len(kzg4844.Proof{}) {
+			return nil, errors.New("invalid proof length")
+		}
+		copy(sidecar.Proofs[i][:], pb.Proofs[i])
 	}
 	return &sidecar, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -137,13 +137,22 @@ func FromProtoBlobTxSideCar(pb iotextypes.BlobTxSidecar) (types.BlobTxSidecar,`
`137`	`137`	`Proofs: make([]kzg4844.Proof, len(pb.Proofs)),`
`138`	`138`	`}`
`139`	`139`	`for i := range pb.Blobs {`
`140`		`- sidecar.Blobs[i] = (kzg4844.Blob)(pb.Blobs[i])`
	`140`	`+ if len(pb.Blobs[i]) != len(kzg4844.Blob{}) {`
	`141`	`+ return nil, errors.New("invalid blob length")`
	`142`	`+ }`
	`143`	`+ copy(sidecar.Blobs[i][:], pb.Blobs[i])`
`141`	`144`	`}`
`142`	`145`	`for i := range pb.Commitments {`
`143`		`- sidecar.Commitments[i] = (kzg4844.Commitment)(pb.Commitments[i])`
	`146`	`+ if len(pb.Commitments[i]) != len(kzg4844.Commitment{}) {`
	`147`	`+ return nil, errors.New("invalid commitment length")`
	`148`	`+ }`
	`149`	`+ copy(sidecar.Commitments[i][:], pb.Commitments[i])`
`144`	`150`	`}`
`145`	`151`	`for i := range pb.Proofs {`
`146`		`- sidecar.Proofs[i] = (kzg4844.Proof)(pb.Proofs[i])`
	`152`	`+ if len(pb.Proofs[i]) != len(kzg4844.Proof{}) {`
	`153`	`+ return nil, errors.New("invalid proof length")`
	`154`	`+ }`
	`155`	`+ copy(sidecar.Proofs[i][:], pb.Proofs[i])`
`147`	`156`	`}`
`148`	`157`	`return &sidecar, nil`
`149`	`158`	`}`