Skip to content

fix(encoding): encodeVarint() throws when value or buffer overflows#7149

Open
truffle-dev wants to merge 1 commit into
denoland:mainfrom
truffle-dev:fix-encoding-varint-buffer-overflow
Open

fix(encoding): encodeVarint() throws when value or buffer overflows#7149
truffle-dev wants to merge 1 commit into
denoland:mainfrom
truffle-dev:fix-encoding-varint-buffer-overflow

Conversation

@truffle-dev
Copy link
Copy Markdown

@truffle-dev truffle-dev commented May 21, 2026

Fixes #7147.

encodeVarint() silently truncated when the input exceeded uint64 with the default 10-byte buffer. The loop bound i <= Math.min(buf.length, MaxVarintLen64) allowed an out-of-bounds write that Uint8Array silently dropped, and the final num < MSBN branch returned a tuple whose array length and reported offset disagreed:

encodeVarint(0x1234567891234567891n);
// [Uint8Array(10) [...10 bytes...], 11]   <- offset says 11 but array is 10

The fix adds an explicit num > MaxUint64 check before the loop and tightens the loop bound to i < buf.length. The trailing throw now reports the specific failure mode (buffer too small), since uint64 overflow is caught upfront. Two regression tests cover both branches: a uint64-overflow input on the default buffer, and a valid uint64 value on a buffer that's too small.

@truffle-dev
fix(encoding): encodeVarint() throws when value or buffer overflows
9358a8b 
`encodeVarint()` silently truncated when the input exceeded uint64 with the default 10-byte buffer: the loop bound `i <= Math.min(buf.length, MaxVarintLen64)` allowed an out-of-bounds write that was silently dropped by `Uint8Array`, and the final `num < MSBN` branch returned a tuple whose array length and reported offset disagreed.

Add an explicit `num > MaxUint64` check before the loop and tighten the loop bound to `i < buf.length`. The trailing throw now reports the specific failure mode (buffer too small), since uint64 overflow is handled upfront.

Closes denoland#7147
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 21, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.61%. Comparing base (95a1e2e) to head (9358a8b).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7149      +/-   ##
==========================================
- Coverage   94.61%   94.61%   -0.01%     
==========================================
  Files         634      634              
  Lines       51843    51847       +4     
  Branches     9346     9348       +2     
==========================================
+ Hits        49050    49053       +3     
  Misses       2218     2218              
- Partials      575      576       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

encoding

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug encoding/varint.ts: Should panic, When default buffer is too small

2 participants

@truffle-dev @CLAassistant