From b8eeb658cca6c5dd397b774edcc67663485d64ec Mon Sep 17 00:00:00 2001
From: fiatjaf <fiatjaf@gmail.com>
Date: Thu, 31 Aug 2023 09:25:09 -0300
Subject: [PATCH] add size validation to nip19 decoder.

---
 nip19/nip19.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/nip19/nip19.go b/nip19/nip19.go
index 74cf0a0..c9b4466 100644
--- a/nip19/nip19.go
+++ b/nip19/nip19.go
@@ -44,6 +44,9 @@ func Decode(bech32string string) (prefix string, value any, err error) {
 
 			switch t {
 			case TLVDefault:
+				if len(v) < 32 {
+					return prefix, nil, fmt.Errorf("pubkey is less than 32 bytes (%d)", len(v))
+				}
 				result.PublicKey = hex.EncodeToString(v)
 			case TLVRelay:
 				result.Relays = append(result.Relays, string(v))
@@ -69,10 +72,16 @@ func Decode(bech32string string) (prefix string, value any, err error) {
 
 			switch t {
 			case TLVDefault:
+				if len(v) < 32 {
+					return prefix, nil, fmt.Errorf("id is less than 32 bytes (%d)", len(v))
+				}
 				result.ID = hex.EncodeToString(v)
 			case TLVRelay:
 				result.Relays = append(result.Relays, string(v))
 			case TLVAuthor:
+				if len(v) < 32 {
+					return prefix, nil, fmt.Errorf("author is less than 32 bytes (%d)", len(v))
+				}
 				result.Author = hex.EncodeToString(v)
 			case TLVKind:
 				result.Kind = int(binary.BigEndian.Uint32(v))
@@ -102,6 +111,9 @@ func Decode(bech32string string) (prefix string, value any, err error) {
 			case TLVRelay:
 				result.Relays = append(result.Relays, string(v))
 			case TLVAuthor:
+				if len(v) < 32 {
+					return prefix, nil, fmt.Errorf("author is less than 32 bytes (%d)", len(v))
+				}
 				result.PublicKey = hex.EncodeToString(v)
 			case TLVKind:
 				result.Kind = int(binary.BigEndian.Uint32(v))