refactor(x/tx/decode): bulletproof against protowire.ConsumeTag potential varint overflows

[odeke-em]

This change adds extra validation against varint decoding to ensure that rejectNonADR027TxRaw doesn't panic when we try to slice txBytes[m:] due to the fact that varint decoding can be trivially fooled by adding extraneous bytes peppered with 0x80, as investigated at https://cyber.orijtech.com/advisory/varint-decode-limitless

/cc @elias-orijtech

Summary by CodeRabbit

• Bug Fixes
  • Enhanced input validation for transaction processing to ensure data integrity and prevent potential decoding issues.

[coderabbitai]

Walkthrough

Walkthrough

The update involves adding a validation check to a function that decodes transaction bytes. This check ensures that the length of the decoded transaction does not surpass the actual byte length of the input. Additionally, a comment has been added to highlight potential issues with the decoding of variable-length integers (varints).

Changes

File Path	Change Summary
.../decode/adr027.go	Added validation for decoded transaction byte length and a comment about varint decoding issues.

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• If you reply to a review comment from CodeRabbit, the bot will automatically respond.
• To engage with CodeRabbit bot directly around the specific lines of code in the PR, mention @coderabbitai in your review comment
• Note: Review comments are made on code diffs or files, not on the PR overview.
• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Note: For conversation with the bot, please use the review comments on code diffs or files.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[odeke-em]

@elias-orijtech could you please examine staticmajor to see what it is consistently failing on all the PRs for this repository.

[testinginprod]

Maybe we should add a test? LGTM.

[odeke-em]

Thanks for the reviews @julienrbrt and @testinginprod! @testinginprod the test is quite complex to produce the exact byte pattern and I have a fuzzer running currently for protowire that'll exhaust the path and when I do some attacks on that repository. My change is pre-emptive protection for the cosmos-sdk as varint decoding is fickle for most implementations.