From 8814293eea2a2c5006038a5dda8d1d4e793d6d78 Mon Sep 17 00:00:00 2001
From: rodiazet <radek.zagorowicz@gmail.com>
Date: Thu, 23 Mar 2023 16:48:09 +0100
Subject: [PATCH] Add stack height verification to CALLF impl

---
 lib/evmone/instructions.hpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/evmone/instructions.hpp b/lib/evmone/instructions.hpp
index 1454af31c5..169357be69 100644
--- a/lib/evmone/instructions.hpp
+++ b/lib/evmone/instructions.hpp
@@ -933,13 +933,21 @@ evmc_status_code create_impl(StackTop stack, ExecutionState& state) noexcept;
 inline constexpr auto create = create_impl<OP_CREATE>;
 inline constexpr auto create2 = create_impl<OP_CREATE2>;
 
-inline code_iterator callf(StackTop /*stack*/, ExecutionState& state, code_iterator pos) noexcept
+inline code_iterator callf(StackTop stack, ExecutionState& state, code_iterator pos) noexcept
 {
     const auto index = read_uint16_be(&pos[1]);
+
     state.call_stack.push_back(pos + 3);
 
     const auto& header = state.analysis.baseline->eof_header;
 
+    const auto stack_size = &stack.top() - state.stack_space.bottom();
+    if (stack_size + header.types[index].max_stack_height > StackSpace::limit)
+    {
+        state.status = EVMC_STACK_OVERFLOW;
+        return nullptr;
+    }
+
     const auto offset = header.code_offsets[index] - header.code_offsets[0];
     auto code = state.analysis.baseline->executable_code;
     return code.data() + offset;