From 6f1f9e56bbc7832e0c4db9d5ccaf5182c4002a0f Mon Sep 17 00:00:00 2001
From: Evgenii Stratonikov <evgeniy@nspcc.ru>
Date: Thu, 17 Oct 2019 11:07:44 +0300
Subject: [PATCH] vm: restrict max size in PACK

---
 pkg/vm/vm.go      |  2 +-
 pkg/vm/vm_test.go | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/pkg/vm/vm.go b/pkg/vm/vm.go
index 6c7049700..27614ea9f 100644
--- a/pkg/vm/vm.go
+++ b/pkg/vm/vm.go
@@ -804,7 +804,7 @@ func (v *VM) execute(ctx *Context, op Instruction, parameter []byte) {
 
 	case PACK:
 		n := int(v.estack.Pop().BigInt().Int64())
-		if n < 0 || n > v.estack.Len() {
+		if n < 0 || n > v.estack.Len() || n > MaxArraySize {
 			panic("OPACK: invalid length")
 		}
 
diff --git a/pkg/vm/vm_test.go b/pkg/vm/vm_test.go
index 98142bc36..8cfc83505 100644
--- a/pkg/vm/vm_test.go
+++ b/pkg/vm/vm_test.go
@@ -1604,6 +1604,17 @@ func TestPACKBadLen(t *testing.T) {
 	assert.Equal(t, true, vm.HasFailed())
 }
 
+func TestPACKBigLen(t *testing.T) {
+	prog := makeProgram(PACK)
+	vm := load(prog)
+	for i := 0; i <= MaxArraySize; i++ {
+		vm.estack.PushVal(0)
+	}
+	vm.estack.PushVal(MaxArraySize + 1)
+	vm.Run()
+	assert.Equal(t, true, vm.HasFailed())
+}
+
 func TestPACKGoodZeroLen(t *testing.T) {
 	prog := makeProgram(PACK)
 	vm := load(prog)