From 0383ec2ea7fa55f9e50fe4c604b731bf9e2c3aa4 Mon Sep 17 00:00:00 2001
From: Jun Kimura <jun.kimura@datachain.jp>
Date: Wed, 12 Mar 2025 15:20:02 +0900
Subject: [PATCH] improve validation of risc0 verifier info length

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
---
 contracts/LCPClientZKDCAPBase.sol | 3 ++-
 test/LCPClientZKDCAPTest.t.sol    | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/contracts/LCPClientZKDCAPBase.sol b/contracts/LCPClientZKDCAPBase.sol
index c000d69..04a22f0 100644
--- a/contracts/LCPClientZKDCAPBase.sol
+++ b/contracts/LCPClientZKDCAPBase.sol
@@ -279,7 +279,8 @@ abstract contract LCPClientZKDCAPBase is LCPClientBase {
         if (uint8(verifierInfo[0]) != ZKVM_TYPE_RISC_ZERO) {
             revert LCPClientZKDCAPInvalidVerifierInfoZKVMType();
         }
-        if (vlen < 64) {
+        // risc0 verifier info should be 64 bytes
+        if (vlen != 64) {
             revert LCPClientZKDCAPInvalidVerifierInfoLength();
         }
         // 32..64 bytes: image ID
diff --git a/test/LCPClientZKDCAPTest.t.sol b/test/LCPClientZKDCAPTest.t.sol
index b0d319c..8e18bff 100644
--- a/test/LCPClientZKDCAPTest.t.sol
+++ b/test/LCPClientZKDCAPTest.t.sol
@@ -670,6 +670,7 @@ contract LCPClientZKDCAPTest is BasicTest {
         vm.warp(ZKDCAPTestHelper.TEST_TIMESTAMP);
         bytes memory consensusStateBytes = LCPProtoMarshaler.marshal(defaultConsensusState());
         IbcLightclientsLcpV1ClientState.Data memory clientState = defaultClientState();
+        bytes memory valid_zkdcap_verifier_info = clientState.zkdcap_verifier_infos[0];
         clientState.zkdcap_verifier_infos[0] = new bytes(0);
         bytes memory clientStateBytes = LCPProtoMarshaler.marshal(clientState);
         vm.expectRevert();
@@ -689,6 +690,12 @@ contract LCPClientZKDCAPTest is BasicTest {
         clientStateBytes = LCPProtoMarshaler.marshal(clientState);
         vm.expectRevert();
         lc.initializeClient(clientId, clientStateBytes, consensusStateBytes);
+
+        clientState.zkdcap_verifier_infos = new bytes[](1);
+        clientState.zkdcap_verifier_infos[0] = abi.encodePacked(valid_zkdcap_verifier_info, bytes1(0x0));
+        clientStateBytes = LCPProtoMarshaler.marshal(clientState);
+        vm.expectRevert();
+        lc.initializeClient(clientId, clientStateBytes, consensusStateBytes);
     }
 
     function testInitializeClientInvalidValues() public {