core/types: fix panic on invalid signature length #33647

[gzliudan]

Proposed changes

Replace panic with error return in decodeSignature to prevent crashes on invalid inputs, and update callers to propagate the error.

Ref: ethereum#33647

Types of changes

What types of changes does your code introduce to XDC network?
Put an ✅ in the boxes that apply

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation Update (if none of the other choices apply)
• Regular KTLO or any of the maintaince work. e.g code style
• CICD Improvement

Impacted Components

Which part of the codebase this PR will touch base on,

Put an ✅ in the boxes that apply

• Consensus
• Account
• Network
• Geth
• Smart Contract
• External components
• Not sure (Please specify below)

Checklist

Put an ✅ in the boxes once you have confirmed below actions (or provide reasons on not doing so) that

• This PR has sufficient test coverage (unit/integration test) OR I have provided reason in the PR description for not having test coverage
• Provide an end-to-end test plan in the PR description on how to manually test it on the devnet/testnet.
• Tested the backwards compatibility.
• Tested with XDC nodes running this version co-exist with those running the previous version.
• Relevant documentation has been updated as part of this PR
• N/A

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes a panic vulnerability in signature validation by converting the decodeSignature function to return an error instead of panicking when an invalid signature length is provided.

Changes:

• Modified decodeSignature to return an error instead of panicking for invalid signature lengths
• Updated all callers of decodeSignature across multiple signer implementations to properly handle and propagate the error
• Added a test case to verify that invalid signature lengths produce errors instead of panics

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
core/types/transaction_signing.go	Updated decodeSignature to return error and modified all signer implementations (pragueSigner, londonSigner, eip2930Signer, EIP155Signer, FrontierSigner) to handle the error
core/types/tx_setcode.go	Updated SignSetCode function to handle error from decodeSignature
core/types/transaction_signing_test.go	Added test case TestSignatureValuesError to verify proper error handling for invalid signatures

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.