From 2d56c66bdeab2f9aa312d6d3308d29ef726a5cb8 Mon Sep 17 00:00:00 2001
From: Evgenii Stratonikov <evgeniy@nspcc.ru>
Date: Thu, 17 Oct 2019 11:03:35 +0300
Subject: [PATCH] vm: restrict max size in APPEND

---
 pkg/vm/vm.go      |  6 ++++++
 pkg/vm/vm_test.go | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/pkg/vm/vm.go b/pkg/vm/vm.go
index 7bc88723c..6c7049700 100644
--- a/pkg/vm/vm.go
+++ b/pkg/vm/vm.go
@@ -786,10 +786,16 @@ func (v *VM) execute(ctx *Context, op Instruction, parameter []byte) {
 		switch t := arrElem.value.(type) {
 		case *ArrayItem:
 			arr := t.Value().([]StackItem)
+			if len(arr) >= MaxArraySize {
+				panic("too long array")
+			}
 			arr = append(arr, val)
 			t.value = arr
 		case *StructItem:
 			arr := t.Value().([]StackItem)
+			if len(arr) >= MaxArraySize {
+				panic("too long struct")
+			}
 			arr = append(arr, val)
 			t.value = arr
 		default:
diff --git a/pkg/vm/vm_test.go b/pkg/vm/vm_test.go
index 4cd5a0d60..98142bc36 100644
--- a/pkg/vm/vm_test.go
+++ b/pkg/vm/vm_test.go
@@ -652,6 +652,24 @@ func TestAPPENDWrongType(t *testing.T) {
 	assert.Equal(t, true, vm.HasFailed())
 }
 
+func TestAPPENDGoodSizeLimit(t *testing.T) {
+	prog := makeProgram(NEWARRAY, DUP, PUSH0, APPEND)
+	vm := load(prog)
+	vm.estack.PushVal(MaxArraySize - 1)
+	vm.Run()
+	assert.Equal(t, false, vm.state.HasFlag(faultState))
+	assert.Equal(t, 1, vm.estack.Len())
+	assert.Equal(t, MaxArraySize, len(vm.estack.Pop().Array()))
+}
+
+func TestAPPENDBadSizeLimit(t *testing.T) {
+	prog := makeProgram(NEWARRAY, DUP, PUSH0, APPEND)
+	vm := load(prog)
+	vm.estack.PushVal(MaxArraySize)
+	vm.Run()
+	assert.Equal(t, true, vm.state.HasFlag(faultState))
+}
+
 func TestPICKITEMBadIndex(t *testing.T) {
 	prog := makeProgram(PICKITEM)
 	vm := load(prog)