fix decodeBytes() integer overflow on 32-bit systems

[erikgrinaker]

Fixes #339.

[odeke-em]

LGTM, thank you @erikgrinaker! Minor nit: if we could adapt the test in the repro would be nice. Also when this is approved, could you please cut a new release, and let's mail an update for all dependencies for cosmos/iavl? Thank you.

[erikgrinaker]

Minor nit: if we could adapt the test in the repro would be nice.

I don't have access to a 32-bit system at the moment, we'll look into this next week.

could you please cut a new release, and let's mail an update for all dependencies for cosmos/iavl?

I'll cut a new release and ping the SDK people, but don't feel like we need to announce this more broadly as 32-bit is fairly niche and supported on a best-effort basis.

[odeke-em]

Thank you for the fix @erikgrinaker, and thank you for the review @marbar3778!

I'll cut a new release and ping the SDK people, but don't feel like we need to announce this more broadly as 32-bit is fairly niche and supported on a best-effort basis.

As I commented in #339 (comment), I just re-ran some thoughts and also fuzzed and alas identified a vector that crashes on 64-bit systems, as well with the same runtime out of range error when the length is saved as 9223372036854775806 and it cleverly circumvents the checks given that the code

 if len(bz) < n+int(size) { 
 	return nil, n, fmt.Errorf("insufficient bytes decoding []byte of length %v", size) 
 } 

n+int(9223372036854775806) on 64-bit systems --> -X
e.g. if n = 9, we get size 9223372036854775806 int(size) 9223372036854775806 n 9 len(bz) 9 -9223372036854775801.

This PR fixes also the 32-bit problems as well as for 64-bit systems, thus I recommend that we should perhaps issue updates to code using this package ASAP.