From 492c91b4c5db02407107be656aa0adbb596e0296 Mon Sep 17 00:00:00 2001
From: Evgeniy Stratonikov <evgeniy@nspcc.ru>
Date: Thu, 17 Mar 2022 18:38:31 +0300
Subject: [PATCH] vm: disallow negative offset in `(*Context).Next()`

Currently the only known reason this can happen is processing
ENDFINALLY opcode before the corresponding ENDTRY.

Signed-off-by: Evgeniy Stratonikov <evgeniy@nspcc.ru>
---
 pkg/vm/context.go |  3 +++
 pkg/vm/vm_test.go | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/pkg/vm/context.go b/pkg/vm/context.go
index 3cbace4b7..8c0c2a1dc 100644
--- a/pkg/vm/context.go
+++ b/pkg/vm/context.go
@@ -95,6 +95,9 @@ func (c *Context) Next() (opcode.Opcode, []byte, error) {
 	var err error
 
 	c.ip = c.nextip
+	if c.ip < 0 {
+		return 0, nil, errors.New("invalid instruction offset")
+	}
 	if c.ip >= len(c.prog) {
 		return opcode.RET, nil, nil
 	}
diff --git a/pkg/vm/vm_test.go b/pkg/vm/vm_test.go
index 1d0e107d2..dd6ffdd5b 100644
--- a/pkg/vm/vm_test.go
+++ b/pkg/vm/vm_test.go
@@ -1385,6 +1385,17 @@ func TestKEYS(t *testing.T) {
 	t.Run("WrongType", getTestFuncForVM(prog, nil, []stackitem.Item{}))
 }
 
+func TestTry_ENDFINALLY_before_ENDTRY(t *testing.T) {
+	prog := makeProgram(opcode.TRY, 0, 3, opcode.ENDFINALLY)
+	require.NoError(t, IsScriptCorrect(prog, nil))
+
+	v := load(prog)
+
+	var err error
+	require.NotPanics(t, func() { err = v.Run() })
+	require.Error(t, err)
+}
+
 func TestVALUESMap(t *testing.T) {
 	prog := makeProgram(opcode.VALUES)
 	vm := load(prog)