Validate Merkle proofs and updates in TLB validate (#1479)

SpyCheese · web-flow · commit 710514b8f1db · 2025-01-16T09:42:05.000+03:00
* Validate Merkle proofs and updates in TLB validate

* Fix out-of-bound access in tl_jni_object.cpp
diff --git a/crypto/block/block.tlb b/crypto/block/block.tlb
@@ -296,7 +296,7 @@ transaction$0111 account_addr:bits256 lt:uint64
   total_fees:CurrencyCollection state_update:^(HASH_UPDATE Account)
   description:^TransactionDescr = Transaction;
 
-!merkle_update#02 {X:Type} old_hash:bits256 new_hash:bits256
+!merkle_update#04 {X:Type} old_hash:bits256 new_hash:bits256 old_depth:uint16 new_depth:uint16
   old:^X new:^X = MERKLE_UPDATE X;
 update_hashes#72 {X:Type} old_hash:bits256 new_hash:bits256
   = HASH_UPDATE X;
diff --git a/crypto/tl/tlbc-gen-cpp.cpp b/crypto/tl/tlbc-gen-cpp.cpp
@@ -2074,7 +2074,7 @@ void CppTypeCode::generate_skip_field(const Constructor& constr, const Field& fi
     output_cpp_expr(ss, expr, 100);
     ss << '.';
   }
-  ss << "validate_skip_ref(ops, cs, weak)" << tail;
+  ss << "validate_skip_ref(ops, cs, " << (constr.is_special ? "true" : "weak") << ")" << tail;
   actions += Action{ss.str()};
 }
 
diff --git a/crypto/tl/tlblib.cpp b/crypto/tl/tlblib.cpp
@@ -133,7 +133,13 @@ bool TLB::validate_ref_internal(int* ops, Ref<vm::Cell> cell_ref, bool weak) con
   }
   bool is_special;
   auto cs = load_cell_slice_special(std::move(cell_ref), is_special);
-  return always_special() ? is_special : (is_special ? weak : (validate_skip(ops, cs) && cs.empty_ext()));
+  if (cs.special_type() == vm::Cell::SpecialType::PrunnedBranch && weak) {
+    return true;
+  }
+  if (always_special() != is_special) {
+    return false;
+  }
+  return validate_skip(ops, cs, weak) && cs.empty_ext();
 }
 
 bool TLB::print_skip(PrettyPrinter& pp, vm::CellSlice& cs) const {
diff --git a/tl/tl/tl_jni_object.cpp b/tl/tl/tl_jni_object.cpp
@@ -115,8 +115,9 @@ static size_t get_utf8_from_utf16_length(const jchar *p, jsize len) {
   for (jsize i = 0; i < len; i++) {
     unsigned int cur = p[i];
     if ((cur & 0xF800) == 0xD800) {
+      ++i;
       if (i < len) {
-        unsigned int next = p[++i];
+        unsigned int next = p[i];
         if ((next & 0xFC00) == 0xDC00 && (cur & 0x400) == 0) {
           result += 4;
           continue;

Original file line number	Diff line number	Diff line change
`@@ -2074,7 +2074,7 @@ void CppTypeCode::generate_skip_field(const Constructor& constr, const Field& fi`
`2074`	`2074`	`output_cpp_expr(ss, expr, 100);`
`2075`	`2075`	`ss << '.';`
`2076`	`2076`	`}`
`2077`		`- ss << "validate_skip_ref(ops, cs, weak)" << tail;`
	`2077`	`+ ss << "validate_skip_ref(ops, cs, " << (constr.is_special ? "true" : "weak") << ")" << tail;`
`2078`	`2078`	`actions += Action{ss.str()};`
`2079`	`2079`	`}`
`2080`	`2080`
Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,13 @@ bool TLB::validate_ref_internal(int* ops, Ref<vm::Cell> cell_ref, bool weak) con`
`133`	`133`	`}`
`134`	`134`	`bool is_special;`
`135`	`135`	`auto cs = load_cell_slice_special(std::move(cell_ref), is_special);`
`136`		`- return always_special() ? is_special : (is_special ? weak : (validate_skip(ops, cs) && cs.empty_ext()));`
	`136`	`+ if (cs.special_type() == vm::Cell::SpecialType::PrunnedBranch && weak) {`
	`137`	`+ return true;`
	`138`	`+ }`
	`139`	`+ if (always_special() != is_special) {`
	`140`	`+ return false;`
	`141`	`+ }`
	`142`	`+ return validate_skip(ops, cs, weak) && cs.empty_ext();`
`137`	`143`	`}`
`138`	`144`
`139`	`145`	`bool TLB::print_skip(PrettyPrinter& pp, vm::CellSlice& cs) const {`