Merge pull request #400 from bsv-blockchain/fix/TOB-BSV-27

Fix/tob bsv 27

Author: ty-everett

CHANGELOG.md

@@ -5,6 +5,8 @@ All notable changes to this project will be documented in this file. The format
 ## Table of Contents
 
 - [Unreleased](#unreleased)
+- [1.9.17 - 2025-12-01](#1917---2025-12-01)
+- [1.9.16 - 2025-12-01](#1916---2025-12-02)
 - [1.9.15 - 2025-12-01](#1915---2025-12-01)
 - [1.9.14 - 2025-12-01](#1914---2025-12-01)
 - [1.9.13 - 2025-12-01](#1913---2025-12-01)
@@ -185,6 +187,13 @@ All notable changes to this project will be documented in this file. The format
 ### Fixed
 
 ### Security
+---
+
+### [1.9.17] - 2025-12-01
+
+### Added
+
+- Added bound checking in the toUTF8 function to prevent buffer overflows.
 
 ---
 

docs/reference/primitives.md

@@ -6099,32 +6099,39 @@ toUTF8 = (arr: number[]): string => {
         }
         if (byte <= 127) {
             result += String.fromCharCode(byte);
+            continue;
         }
-        else if (byte >= 192 && byte <= 223) {
-            const byte2 = arr[i + 1];
-            skip = 1;
+        if (byte >= 192 && byte <= 223) {
+            const avail = arr.length - (i + 1);
+            const byte2 = avail >= 1 ? arr[i + 1] : 0;
+            skip = Math.min(1, avail);
             const codePoint = ((byte & 31) << 6) | (byte2 & 63);
             result += String.fromCharCode(codePoint);
+            continue;
         }
-        else if (byte >= 224 && byte <= 239) {
-            const byte2 = arr[i + 1];
-            const byte3 = arr[i + 2];
-            skip = 2;
+        if (byte >= 224 && byte <= 239) {
+            const avail = arr.length - (i + 1);
+            const byte2 = avail >= 1 ? arr[i + 1] : 0;
+            const byte3 = avail >= 2 ? arr[i + 2] : 0;
+            skip = Math.min(2, avail);
             const codePoint = ((byte & 15) << 12) | ((byte2 & 63) << 6) | (byte3 & 63);
             result += String.fromCharCode(codePoint);
+            continue;
         }
-        else if (byte >= 240 && byte <= 247) {
-            const byte2 = arr[i + 1];
-            const byte3 = arr[i + 2];
-            const byte4 = arr[i + 3];
-            skip = 3;
+        if (byte >= 240 && byte <= 247) {
+            const avail = arr.length - (i + 1);
+            const byte2 = avail >= 1 ? arr[i + 1] : 0;
+            const byte3 = avail >= 2 ? arr[i + 2] : 0;
+            const byte4 = avail >= 3 ? arr[i + 3] : 0;
+            skip = Math.min(3, avail);
             const codePoint = ((byte & 7) << 18) |
                 ((byte2 & 63) << 12) |
                 ((byte3 & 63) << 6) |
                 (byte4 & 63);
             const surrogate1 = 55296 + ((codePoint - 65536) >> 10);
             const surrogate2 = 56320 + ((codePoint - 65536) & 1023);
             result += String.fromCharCode(surrogate1, surrogate2);
+            continue;
         }
     }
     return result;

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.9.16",
+  "version": "1.9.17",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",

package.json

@@ -4,6 +4,7 @@ import {
   zero2,
   toHex,
   encode,
+  toUTF8,
   fromBase58,
   toBase58,
   fromBase58Check,
@@ -209,6 +210,48 @@ describe('utils', () => {
   })
 })
 
+describe('toUTF8 bounds checks', () => {
+  const guarded = (arr: number[]): number[] => {
+    const target = arr.slice()
+    const handler: ProxyHandler<number[]> = {
+      get (t, prop, receiver) {
+        if (prop === 'length' || typeof prop !== 'string') {
+          return Reflect.get(t, prop as any, receiver)
+        }
+        const idx = Number(prop)
+        if (Number.isInteger(idx)) {
+          if (idx < 0 || idx >= t.length) {
+            throw new Error(`out-of-bounds read at index ${idx} (length ${t.length})`)
+          }
+        }
+        return Reflect.get(t, prop as any, receiver)
+      }
+    }
+    return new Proxy(target, handler) as unknown as number[]
+  }
+
+  it('does not access out-of-bounds on truncated 2-byte sequence', () => {
+    const input = guarded([0xC3])
+    expect(() => toUTF8(input)).not.toThrow()
+  })
+
+  it('does not access out-of-bounds on truncated 3-byte sequences', () => {
+    const input1 = guarded([0xE2])
+    const input2 = guarded([0xE2, 0x82])
+    expect(() => toUTF8(input1)).not.toThrow()
+    expect(() => toUTF8(input2)).not.toThrow()
+  })
+
+  it('does not access out-of-bounds on truncated 4-byte sequences', () => {
+    const input1 = guarded([0xF0])
+    const input2 = guarded([0xF0, 0x9F])
+    const input3 = guarded([0xF0, 0x9F, 0x98])
+    expect(() => toUTF8(input1)).not.toThrow()
+    expect(() => toUTF8(input2)).not.toThrow()
+    expect(() => toUTF8(input3)).not.toThrow()
+  })
+})
+
 describe('toArray base64', () => {
   it('decodes empty string to empty array', () => {
     expect(toArray('', 'base64')).toEqual([])

src/primitives/__tests/utils.test.ts

@@ -237,7 +237,6 @@ export const toUTF8 = (arr: number[]): string => {
 
   for (let i = 0; i < arr.length; i++) {
     const byte = arr[i]
-
     // this byte is part of a multi-byte sequence, skip it
     // added to avoid modifying i within the loop which is considered unsafe.
     if (skip > 0) {
@@ -248,26 +247,41 @@ export const toUTF8 = (arr: number[]): string => {
     // 1-byte sequence (0xxxxxxx)
     if (byte <= 0x7f) {
       result += String.fromCharCode(byte)
-    } else if (byte >= 0xc0 && byte <= 0xdf) {
-      // 2-byte sequence (110xxxxx 10xxxxxx)
-      const byte2 = arr[i + 1]
-      skip = 1
+      continue
+    }
+
+    // 2-byte sequence (110xxxxx 10xxxxxx)
+    if (byte >= 0xc0 && byte <= 0xdf) {
+      const avail = arr.length - (i + 1)
+      const byte2 = avail >= 1 ? arr[i + 1] : 0
+      skip = Math.min(1, avail)
+
       const codePoint = ((byte & 0x1f) << 6) | (byte2 & 0x3f)
       result += String.fromCharCode(codePoint)
-    } else if (byte >= 0xe0 && byte <= 0xef) {
-      // 3-byte sequence (1110xxxx 10xxxxxx 10xxxxxx)
-      const byte2 = arr[i + 1]
-      const byte3 = arr[i + 2]
-      skip = 2
+      continue
+    }
+
+    // 3-byte sequence (1110xxxx 10xxxxxx 10xxxxxx)
+    if (byte >= 0xe0 && byte <= 0xef) {
+      const avail = arr.length - (i + 1)
+      const byte2 = avail >= 1 ? arr[i + 1] : 0
+      const byte3 = avail >= 2 ? arr[i + 2] : 0
+      skip = Math.min(2, avail)
+
       const codePoint =
         ((byte & 0x0f) << 12) | ((byte2 & 0x3f) << 6) | (byte3 & 0x3f)
       result += String.fromCharCode(codePoint)
-    } else if (byte >= 0xf0 && byte <= 0xf7) {
-      // 4-byte sequence (11110xxx 10xxxxxx 10xxxxxx 10xxxxxx)
-      const byte2 = arr[i + 1]
-      const byte3 = arr[i + 2]
-      const byte4 = arr[i + 3]
-      skip = 3
+      continue
+    }
+
+    // 4-byte sequence (11110xxx 10xxxxxx 10xxxxxx 10xxxxxx)
+    if (byte >= 0xf0 && byte <= 0xf7) {
+      const avail = arr.length - (i + 1)
+      const byte2 = avail >= 1 ? arr[i + 1] : 0
+      const byte3 = avail >= 2 ? arr[i + 2] : 0
+      const byte4 = avail >= 3 ? arr[i + 3] : 0
+      skip = Math.min(3, avail)
+
       const codePoint =
         ((byte & 0x07) << 18) |
         ((byte2 & 0x3f) << 12) |
@@ -278,6 +292,7 @@ export const toUTF8 = (arr: number[]): string => {
       const surrogate1 = 0xd800 + ((codePoint - 0x10000) >> 10)
       const surrogate2 = 0xdc00 + ((codePoint - 0x10000) & 0x3ff)
       result += String.fromCharCode(surrogate1, surrogate2)
+      continue
     }
   }