[serializer] Fixing issues in serialization

language/move-binary-format/src/deserializer.rs

@@ -65,6 +65,15 @@ fn read_u64_internal(cursor: &mut VersionedCursor) -> BinaryLoaderResult<u64> {
     Ok(u64::from_le_bytes(u64_bytes))
 }
 
+fn read_u64_internal_bounded(cursor: &mut VersionedCursor, max: u64) -> BinaryLoaderResult<u64> {
+    let val = read_u64_internal(cursor)?;
+    if val > max {
+        return Err(PartialVMError::new(StatusCode::MALFORMED)
+            .with_message("u64 greater than max requested".to_string()));
+    }
+    Ok(val)
+}
+
 fn read_u128_internal(cursor: &mut VersionedCursor) -> BinaryLoaderResult<u128> {
     let mut u128_bytes = [0; 16];
     cursor
@@ -1471,17 +1480,19 @@ fn load_code(cursor: &mut VersionedCursor, code: &mut Vec<Bytecode>) -> BinaryLo
                 Bytecode::MoveToGeneric(load_struct_def_inst_index(cursor)?)
             }
             Opcodes::FREEZE_REF => Bytecode::FreezeRef,
-            Opcodes::VEC_PACK => {
-                Bytecode::VecPack(load_signature_index(cursor)?, read_u64_internal(cursor)?)
-            }
+            Opcodes::VEC_PACK => Bytecode::VecPack(
+                load_signature_index(cursor)?,
+                read_u64_internal_bounded(cursor, VEC_PACK_UNPACK_MAX)?,
+            ),
             Opcodes::VEC_LEN => Bytecode::VecLen(load_signature_index(cursor)?),
             Opcodes::VEC_IMM_BORROW => Bytecode::VecImmBorrow(load_signature_index(cursor)?),
             Opcodes::VEC_MUT_BORROW => Bytecode::VecMutBorrow(load_signature_index(cursor)?),
             Opcodes::VEC_PUSH_BACK => Bytecode::VecPushBack(load_signature_index(cursor)?),
             Opcodes::VEC_POP_BACK => Bytecode::VecPopBack(load_signature_index(cursor)?),
-            Opcodes::VEC_UNPACK => {
-                Bytecode::VecUnpack(load_signature_index(cursor)?, read_u64_internal(cursor)?)
-            }
+            Opcodes::VEC_UNPACK => Bytecode::VecUnpack(
+                load_signature_index(cursor)?,
+                read_u64_internal_bounded(cursor, VEC_PACK_UNPACK_MAX)?,
+            ),
             Opcodes::VEC_SWAP => Bytecode::VecSwap(load_signature_index(cursor)?),
         };
         code.push(bytecode);

language/move-binary-format/src/file_format_common.rs

@@ -77,6 +77,8 @@ pub const TYPE_PARAMETER_INDEX_MAX: u64 = 65536;
 
 pub const SIGNATURE_TOKEN_DEPTH_MAX: usize = 256;
 
+pub const VEC_PACK_UNPACK_MAX: u64 = 65536;
+
 /// Constants for table types in the binary.
 ///
 /// The binary contains a subset of those tables. A table specification is a tuple (table type,

language/move-bytecode-verifier/src/stack_usage_verifier.rs

@@ -56,8 +56,22 @@ impl<'a> StackUsageVerifier<'a> {
                         .at_code_offset(self.current_function(), block_start),
                 );
             }
-            stack_size_increment -= num_pops;
-            stack_size_increment += num_pushes;
+            if let Some(new_incr) = u64::checked_sub(stack_size_increment, num_pops) {
+                stack_size_increment = new_incr
+            } else {
+                return Err(
+                    PartialVMError::new(StatusCode::NEGATIVE_STACK_SIZE_WITHIN_BLOCK)
+                        .at_code_offset(self.current_function(), block_start),
+                );
+            };
+            if let Some(new_incr) = u64::checked_add(stack_size_increment, num_pushes) {
+                stack_size_increment = new_incr
+            } else {
+                return Err(
+                    PartialVMError::new(StatusCode::POSITIVE_STACK_SIZE_AT_BLOCK_END)
+                        .at_code_offset(self.current_function(), block_start),
+                );
+            };
         }
 
         if stack_size_increment == 0 {