From d8664490da47bfff1854869826268c486e6487d7 Mon Sep 17 00:00:00 2001
From: Dean Eigenmann <7621705+decanus@users.noreply.github.com>
Date: Mon, 17 Jun 2024 21:53:00 +0200
Subject: [PATCH] common/math: fix out of bounds access in json unmarshalling
 (#30014)

Co-authored-by: Martin Holst Swende <martin@swende.se>
---
 common/math/big.go     | 2 +-
 common/math/integer.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/math/big.go b/common/math/big.go
index 721b297c9c..d9748d01a3 100644
--- a/common/math/big.go
+++ b/common/math/big.go
@@ -54,7 +54,7 @@ func NewHexOrDecimal256(x int64) *HexOrDecimal256 {
 // It is similar to UnmarshalText, but allows parsing real decimals too, not just
 // quoted decimal strings.
 func (i *HexOrDecimal256) UnmarshalJSON(input []byte) error {
-	if len(input) > 0 && input[0] == '"' {
+	if len(input) > 1 && input[0] == '"' {
 		input = input[1 : len(input)-1]
 	}
 	return i.UnmarshalText(input)
diff --git a/common/math/integer.go b/common/math/integer.go
index 080fba8fea..82de96f927 100644
--- a/common/math/integer.go
+++ b/common/math/integer.go
@@ -46,7 +46,7 @@ type HexOrDecimal64 uint64
 // It is similar to UnmarshalText, but allows parsing real decimals too, not just
 // quoted decimal strings.
 func (i *HexOrDecimal64) UnmarshalJSON(input []byte) error {
-	if len(input) > 0 && input[0] == '"' {
+	if len(input) > 1 && input[0] == '"' {
 		input = input[1 : len(input)-1]
 	}
 	return i.UnmarshalText(input)