From 2e2fece0bb439801a36177b263705a65c98c381b Mon Sep 17 00:00:00 2001
From: Matus Kysel <MatusKysel@users.noreply.github.com>
Date: Fri, 26 Sep 2025 15:12:28 +0200
Subject: [PATCH] ethapi: reject oversize storage keys before hex decode
 (#32750)

Bail out of decodeHash when the raw hex string is longer than 32 byte before actually decoding.
---------

Co-authored-by: lightclient <lightclient@protonmail.com>
---
 internal/ethapi/api.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/internal/ethapi/api.go b/internal/ethapi/api.go
index c60aad5617..2432bb70b8 100644
--- a/internal/ethapi/api.go
+++ b/internal/ethapi/api.go
@@ -449,13 +449,13 @@ func decodeHash(s string) (h common.Hash, inputLength int, err error) {
 	if (len(s) & 1) > 0 {
 		s = "0" + s
 	}
+	if len(s) > 64 {
+		return common.Hash{}, len(s) / 2, errors.New("hex string too long, want at most 32 bytes")
+	}
 	b, err := hex.DecodeString(s)
 	if err != nil {
 		return common.Hash{}, 0, errors.New("hex string invalid")
 	}
-	if len(b) > 32 {
-		return common.Hash{}, len(b), errors.New("hex string too long, want at most 32 bytes")
-	}
 	return common.BytesToHash(b), len(b), nil
 }