Fix range bound overflow in Vec/Bytes slice and GenRange gen_range for u64 (#1703)

### What

- Replace unchecked `+1` / `-1` arithmetic in `Bytes::slice`,
`Vec::slice`, and `Prng::gen_range` (u64) range bound conversions with
`checked_add` / `checked_sub` using `expect_optimized`
- Add `expect_optimized` to the `UnwrapOptimized` trait for `Option` and
`Result`, which traps via `wasm32::unreachable()` on Wasm and panics
with the message in tests
- Add test coverage for `Bytes::slice`, `Vec::slice`, and
`Prng::gen_range` boundary conditions including overflow edge cases

### Why

When compiled with `overflow-checks = false` (the default for release
builds), the bare arithmetic in those functions silently wraps on
boundary values like `u32::MAX` or `u64::MAX`. This causes the range
passed to the host to differ from the caller's intent — for example,
`Bytes::slice(0..=u32::MAX)` wraps to `slice(0..0)` returning empty, and
`prng.gen_range((Bound::Excluded(u64::MAX), Bound::Unbounded))` wraps to
the full `0..=u64::MAX` range. Contracts using user-controlled or
computed range bounds could silently operate on wrong data or generate
random numbers from an unintended range.

The tooling for Soroban contracts that generates boilerplate for new
contracts sets `overflow-checks = true` for the release profile, and
docs encourage the same pattern, but this ensures that these overflows
are caught even if a developer accidentally turns that off.

(cherry picked from commit c2757c6)

Author: leighmcculloch

soroban-sdk/src/bytes.rs

@@ -713,11 +713,15 @@ impl Bytes {
     pub fn slice(&self, r: impl RangeBounds<u32>) -> Self {
         let start_bound = match r.start_bound() {
             Bound::Included(s) => *s,
-            Bound::Excluded(s) => *s + 1,
+            Bound::Excluded(s) => s
+                .checked_add(1)
+                .expect_optimized("attempt to add with overflow"),
             Bound::Unbounded => 0,
         };
         let end_bound = match r.end_bound() {
-            Bound::Included(s) => *s + 1,
+            Bound::Included(s) => s
+                .checked_add(1)
+                .expect_optimized("attempt to add with overflow"),
             Bound::Excluded(s) => *s,
             Bound::Unbounded => self.len(),
         };

soroban-sdk/src/prng.rs

@@ -469,12 +469,16 @@ impl GenRange for u64 {
         assert_in_contract!(env);
         let start_bound = match r.start_bound() {
             Bound::Included(b) => *b,
-            Bound::Excluded(b) => *b + 1,
+            Bound::Excluded(b) => b
+                .checked_add(1)
+                .expect_optimized("attempt to add with overflow"),
             Bound::Unbounded => u64::MIN,
         };
         let end_bound = match r.end_bound() {
             Bound::Included(b) => *b,
-            Bound::Excluded(b) => *b - 1,
+            Bound::Excluded(b) => b
+                .checked_sub(1)
+                .expect_optimized("attempt to subtract with overflow"),
             Bound::Unbounded => u64::MAX,
         };
         internal::Env::prng_u64_in_inclusive_range(env, start_bound, end_bound).unwrap_infallible()

soroban-sdk/src/tests.rs

@@ -4,6 +4,7 @@ mod address;
 mod auth;
 mod bytes_alloc_vec;
 mod bytes_buffer;
+mod bytes_slice;
 mod cmp_across_env_in_tests;
 mod contract_add_i32;
 mod contract_assert;
@@ -35,8 +36,10 @@ mod crypto_sha256;
 mod env;
 mod max_ttl;
 mod prng;
+mod prng_range;
 mod proptest_scval_cmp;
 mod proptest_val_cmp;
 mod storage_testutils;
 mod token_client;
 mod token_spec;
+mod vec_slice;

soroban-sdk/src/tests/bytes_slice.rs

@@ -0,0 +1,83 @@
+use core::ops::Bound;
+
+use crate::{Bytes, Env};
+
+#[test]
+fn test_slice_full_range() {
+    let env = Env::default();
+    let bytes = Bytes::from_slice(&env, &[1, 2, 3]);
+    let sliced = bytes.slice(0..3);
+    assert_eq!(sliced.len(), 3);
+    assert_eq!(sliced.get_unchecked(0), 1);
+    assert_eq!(sliced.get_unchecked(1), 2);
+    assert_eq!(sliced.get_unchecked(2), 3);
+}
+
+#[test]
+fn test_slice_middle() {
+    let env = Env::default();
+    let bytes = Bytes::from_slice(&env, &[1, 2, 3]);
+    let sliced = bytes.slice(1..2);
+    assert_eq!(sliced.len(), 1);
+    assert_eq!(sliced.get_unchecked(0), 2);
+}
+
+// Excluded(u32::MAX) start computes u32::MAX + 1 which overflows.
+#[test]
+#[should_panic(expected = "attempt to add with overflow")]
+fn test_slice_excluded_start_u32_max_overflows_panics_guest_side() {
+    let env = Env::default();
+    let bytes = Bytes::from_slice(&env, &[1, 2, 3]);
+    let _ = bytes.slice((Bound::Excluded(u32::MAX), Bound::Unbounded));
+}
+
+// Included(u32::MAX) end computes u32::MAX + 1 which overflows.
+#[test]
+#[should_panic(expected = "attempt to add with overflow")]
+fn test_slice_included_end_u32_max_overflows_panics_guest_side() {
+    let env = Env::default();
+    let bytes = Bytes::from_slice(&env, &[1, 2, 3]);
+    let _ = bytes.slice(0..=u32::MAX);
+}
+
+// Both bounds u32::MAX: Excluded start computes u32::MAX + 1 which overflows,
+// and Included end computes u32::MAX + 1 which also overflows.
+#[test]
+#[should_panic(expected = "attempt to add with overflow")]
+fn test_slice_both_u32_max_overflows_panics_guest_side() {
+    let env = Env::default();
+    let bytes = Bytes::from_slice(&env, &[1, 2, 3]);
+    let _ = bytes.slice(u32::MAX..=u32::MAX);
+}
+
+#[test]
+#[should_panic(expected = "HostError: Error(Object, IndexBounds)")]
+fn test_slice_out_of_bounds_end_host_side() {
+    let env = Env::default();
+    let bytes = Bytes::from_slice(&env, &[1, 2, 3]);
+    let _ = bytes.slice(0..4);
+}
+
+#[test]
+#[should_panic(expected = "HostError: Error(Object, IndexBounds)")]
+fn test_slice_out_of_bounds_start_host_side() {
+    let env = Env::default();
+    let bytes = Bytes::from_slice(&env, &[1, 2, 3]);
+    let _ = bytes.slice(4..);
+}
+
+#[test]
+fn test_slice_empty_full_range() {
+    let env = Env::default();
+    let bytes = Bytes::new(&env);
+    let sliced = bytes.slice(..);
+    assert_eq!(sliced.len(), 0);
+}
+
+#[test]
+fn test_slice_empty_zero_range() {
+    let env = Env::default();
+    let bytes = Bytes::new(&env);
+    let sliced = bytes.slice(0..0);
+    assert_eq!(sliced.len(), 0);
+}

soroban-sdk/src/tests/prng_range.rs

@@ -0,0 +1,111 @@
+use core::ops::Bound;
+
+use crate::{self as soroban_sdk, testutils::EnvTestConfig, Env};
+use soroban_sdk::contract;
+
+#[contract]
+pub struct TestPrngRangeContract;
+
+#[test]
+fn test_gen_range_u64_full_range() {
+    let env = Env::new_with_config(EnvTestConfig {
+        capture_snapshot_at_drop: false,
+    });
+    let id = env.register(TestPrngRangeContract, ());
+    env.as_contract(&id, || {
+        let _: u64 = env.prng().gen_range(..);
+    });
+}
+
+#[test]
+fn test_gen_range_u64_inclusive() {
+    let env = Env::new_with_config(EnvTestConfig {
+        capture_snapshot_at_drop: false,
+    });
+    let id = env.register(TestPrngRangeContract, ());
+    env.as_contract(&id, || {
+        for _ in 0..100 {
+            let val: u64 = env.prng().gen_range(5..=10);
+            assert!(val >= 5 && val <= 10);
+        }
+    });
+}
+
+#[test]
+fn test_gen_range_u64_exclusive_end() {
+    let env = Env::new_with_config(EnvTestConfig {
+        capture_snapshot_at_drop: false,
+    });
+    let id = env.register(TestPrngRangeContract, ());
+    env.as_contract(&id, || {
+        for _ in 0..100 {
+            let val: u64 = env.prng().gen_range(5..10);
+            assert!(val >= 5 && val < 10);
+        }
+    });
+}
+
+#[test]
+fn test_gen_range_u64_single_value() {
+    let env = Env::new_with_config(EnvTestConfig {
+        capture_snapshot_at_drop: false,
+    });
+    let id = env.register(TestPrngRangeContract, ());
+    env.as_contract(&id, || {
+        let val: u64 = env.prng().gen_range(7..=7);
+        assert_eq!(val, 7);
+    });
+}
+
+// Excluded(u64::MAX) start computes u64::MAX + 1 which overflows.
+#[test]
+#[should_panic(expected = "attempt to add with overflow")]
+fn test_gen_range_u64_excluded_start_u64_max_overflows() {
+    let env = Env::new_with_config(EnvTestConfig {
+        capture_snapshot_at_drop: false,
+    });
+    let id = env.register(TestPrngRangeContract, ());
+    env.as_contract(&id, || {
+        let _: u64 = env
+            .prng()
+            .gen_range((Bound::Excluded(u64::MAX), Bound::Unbounded));
+    });
+}
+
+#[test]
+fn test_gen_range_u64_included_end_u64_max() {
+    let env = Env::new_with_config(EnvTestConfig {
+        capture_snapshot_at_drop: false,
+    });
+    let id = env.register(TestPrngRangeContract, ());
+    env.as_contract(&id, || {
+        let _: u64 = env.prng().gen_range(0u64..=u64::MAX);
+    });
+}
+
+// Excluded(0) end computes 0 - 1 which underflows.
+#[should_panic(expected = "attempt to subtract with overflow")]
+#[test]
+fn test_gen_range_u64_excluded_end_zero_underflows() {
+    let env = Env::new_with_config(EnvTestConfig {
+        capture_snapshot_at_drop: false,
+    });
+    let id = env.register(TestPrngRangeContract, ());
+    env.as_contract(&id, || {
+        let _: u64 = env
+            .prng()
+            .gen_range((Bound::<u64>::Unbounded, Bound::Excluded(0)));
+    });
+}
+
+#[test]
+fn test_gen_range_u64_both_u64_max() {
+    let env = Env::new_with_config(EnvTestConfig {
+        capture_snapshot_at_drop: false,
+    });
+    let id = env.register(TestPrngRangeContract, ());
+    env.as_contract(&id, || {
+        let val: u64 = env.prng().gen_range(u64::MAX..=u64::MAX);
+        assert_eq!(val, u64::MAX);
+    });
+}

soroban-sdk/src/tests/vec_slice.rs

@@ -0,0 +1,83 @@
+use core::ops::Bound;
+
+use crate::{vec, Env, Vec};
+
+#[test]
+fn test_slice_full_range() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env, 1, 2, 3];
+    let sliced = v.slice(0..3);
+    assert_eq!(sliced.len(), 3);
+    assert_eq!(sliced.get_unchecked(0), 1);
+    assert_eq!(sliced.get_unchecked(1), 2);
+    assert_eq!(sliced.get_unchecked(2), 3);
+}
+
+#[test]
+fn test_slice_middle() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env, 1, 2, 3];
+    let sliced = v.slice(1..2);
+    assert_eq!(sliced.len(), 1);
+    assert_eq!(sliced.get_unchecked(0), 2);
+}
+
+// Excluded(u32::MAX) start computes u32::MAX + 1 which overflows.
+#[test]
+#[should_panic(expected = "attempt to add with overflow")]
+fn test_slice_excluded_start_u32_max_overflows_panics_guest_side() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env, 1, 2, 3];
+    let _ = v.slice((Bound::Excluded(u32::MAX), Bound::Unbounded));
+}
+
+// Included(u32::MAX) end computes u32::MAX + 1 which overflows.
+#[test]
+#[should_panic(expected = "attempt to add with overflow")]
+fn test_slice_included_end_u32_max_overflows_panics_guest_side() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env, 1, 2, 3];
+    let _ = v.slice(0..=u32::MAX);
+}
+
+// Both bounds u32::MAX: Excluded start computes u32::MAX + 1 which overflows,
+// and Included end computes u32::MAX + 1 which also overflows.
+#[test]
+#[should_panic(expected = "attempt to add with overflow")]
+fn test_slice_both_u32_max_overflows_panics_guest_side() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env, 1, 2, 3];
+    let _ = v.slice(u32::MAX..=u32::MAX);
+}
+
+#[test]
+#[should_panic(expected = "HostError: Error(Object, IndexBounds)")]
+fn test_slice_out_of_bounds_end_host_side() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env, 1, 2, 3];
+    let _ = v.slice(0..4);
+}
+
+#[test]
+#[should_panic(expected = "HostError: Error(Object, IndexBounds)")]
+fn test_slice_out_of_bounds_start_host_side() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env, 1, 2, 3];
+    let _ = v.slice(4..);
+}
+
+#[test]
+fn test_slice_empty_full_range() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env];
+    let sliced = v.slice(..);
+    assert_eq!(sliced.len(), 0);
+}
+
+#[test]
+fn test_slice_empty_zero_range() {
+    let env = Env::default();
+    let v: Vec<u32> = vec![&env];
+    let sliced = v.slice(0..0);
+    assert_eq!(sliced.len(), 0);
+}

soroban-sdk/src/unwrap.rs

@@ -3,6 +3,7 @@ use core::convert::Infallible;
 pub trait UnwrapOptimized {
     type Output;
     fn unwrap_optimized(self) -> Self::Output;
+    fn expect_optimized(self, msg: &'static str) -> Self::Output;
 }
 
 impl<T> UnwrapOptimized for Option<T> {
@@ -18,6 +19,17 @@ impl<T> UnwrapOptimized for Option<T> {
         #[cfg(not(target_family = "wasm"))]
         self.unwrap()
     }
+
+    #[inline(always)]
+    fn expect_optimized(self, _msg: &'static str) -> Self::Output {
+        #[cfg(target_family = "wasm")]
+        match self {
+            Some(t) => t,
+            None => core::arch::wasm32::unreachable(),
+        }
+        #[cfg(not(target_family = "wasm"))]
+        self.expect(_msg)
+    }
 }
 
 impl<T, E: core::fmt::Debug> UnwrapOptimized for Result<T, E> {
@@ -33,6 +45,17 @@ impl<T, E: core::fmt::Debug> UnwrapOptimized for Result<T, E> {
         #[cfg(not(target_family = "wasm"))]
         self.unwrap()
     }
+
+    #[inline(always)]
+    fn expect_optimized(self, _msg: &'static str) -> Self::Output {
+        #[cfg(target_family = "wasm")]
+        match self {
+            Ok(t) => t,
+            Err(_) => core::arch::wasm32::unreachable(),
+        }
+        #[cfg(not(target_family = "wasm"))]
+        self.expect(_msg)
+    }
 }
 
 pub trait UnwrapInfallible {

soroban-sdk/src/vec.rs

@@ -750,11 +750,15 @@ impl<T> Vec<T> {
     pub fn slice(&self, r: impl RangeBounds<u32>) -> Self {
         let start_bound = match r.start_bound() {
             Bound::Included(s) => *s,
-            Bound::Excluded(s) => *s + 1,
+            Bound::Excluded(s) => s
+                .checked_add(1)
+                .expect_optimized("attempt to add with overflow"),
             Bound::Unbounded => 0,
         };
         let end_bound = match r.end_bound() {
-            Bound::Included(s) => *s + 1,
+            Bound::Included(s) => s
+                .checked_add(1)
+                .expect_optimized("attempt to add with overflow"),
             Bound::Excluded(s) => *s,
             Bound::Unbounded => self.len(),
         };