decoder: add slice len bounds checks

[riptl]

The decoder performs memory allocations based on untrusted length inputs while decoding slices.

This patch adds an upper constraint to the slice element count before calling runtime.MakeSlice in decoder.

It also fixes an integer overflow bug that could result in negative slice lengths.

Rationale: We assume each slice element is at least 1 byte large ¹ Thus, for a valid encoding, the number of bytes remaining must be greater or equal to the number of slice elements. If there are less bytes remaining than the slice element count indicates, we would eventually try to read past the buffer and trip on io.ErrUnexpectedEOF. Thus we can safely bail early without actually deserializing slice elements.

¹ A slice element can reasonably only be zero bytes if all other elements are also zero bytes (ignoring custom UnmarshalWithDecoder). Zero size slices are rare and should be represented as a single varint instead anyways.

Fixes gagliardetto/solana-go#95

[gagliardetto]

Inside decoder_test.go on line 602, the line should be assert.EqualError(t, err, "unexpected EOF") (because the erro changed).

[gagliardetto]

What about also adding some size evaluation to the check?

Negative Example:

• readLen: 1 million
• check if there's at least 1 million bytes left: true, there is at least that amount remaining.
• allocate a slice of 1 million structs.

[gagliardetto]

Or maybe there's an "append" in reflect that would avoid preallocating?

[riptl]

@gagliardetto Thanks, I fixed the test. I also found an unrelatived integer overflow bug that resulted in negative length slices and fixed that.

[gagliardetto]

I think we can leave go 1.16 behind, and add go 1.19 instead

[riptl]

variant.go got accidentally changed by go fmt

[gagliardetto]

Thanks!