From 7b6a8ee5d7e3ce4e2e327e61deef9e08bbb83d95 Mon Sep 17 00:00:00 2001
From: Minhyuk Kim <kimminhyuk1004@gmail.com>
Date: Sun, 15 Dec 2024 17:28:05 +0900
Subject: [PATCH] Add slow VM validation for calldata offset checks

---
 rvgo/slow/vm.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/rvgo/slow/vm.go b/rvgo/slow/vm.go
index 458f00c6..a9191ac9 100644
--- a/rvgo/slow/vm.go
+++ b/rvgo/slow/vm.go
@@ -122,6 +122,12 @@ func Step(calldata []byte, po PreimageOracle) (stateHash common.Hash, outErr err
 	}
 
 	stateContentOffset := uint8(4 + 32 + 32 + 32 + 32)
+	if iszero(eq(add(b32asBEWord(calldataload(toU64(4))), shortToU256(32+4)), shortToU256(uint16(stateContentOffset)))) {
+		// _stateData.offset = _stateData.pointer + 32 + 4
+		// 32*4+4 = 132 expected state data offset
+		panic("invalid state offset input")
+	}
+
 	if iszero(eq(b32asBEWord(calldataload(toU64(4+32*3))), shortToU256(stateSize))) {
 		// user-provided state size must match expected state size
 		panic("invalid state size input")
@@ -133,6 +139,11 @@ func Step(calldata []byte, po PreimageOracle) (stateHash common.Hash, outErr err
 		// proof offset must be stateContentOffset+paddedStateSize+32
 		// proof size: 64-5+1=60 * 32 byte leaf,
 		// but multiple memProof can be used, so the proofSize must be a multiple of 60
+		panic("invalid proof size input")
+	}
+
+	if iszero(eq(add(b32asBEWord(calldataload(toU64(36))), shortToU256(32+4)), u64ToU256(proofContentOffset))) {
+		// _proof.offset = proofContentOffset = _proof.pointer + 32 + 4
 		panic("invalid proof offset input")
 	}