ERC7579.decodeBatch: Perform sanity check if executionCalldata is not at the end of allocated calldata

[Amxx]

Fixes #5395

PR Checklist

• Tests
• Documentation
• Changeset entry (run npx changeset add)

[changeset-bot]

🦋 Changeset detected

Latest commit: e1fdeeb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
openzeppelin-solidity	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This PR implements a patch fix for ERC7579Utils.decodeBatch to address potential calldata boundary validation issues. The changes introduce memory-safe buffer pointer extraction by populating bufferPtr and bufferLength from input calldata instead of using executionCalldata.offset directly. A new private helper function _validateCalldataBound performs deep boundary checks to ensure the entire calldata and embedded callData structures remain within safe bounds. Test coverage is expanded with comprehensive test scenarios including empty buffers, short buffers, out-of-bounds conditions, and deeply nested decoding paths.

Possibly related PRs

• #5936 — Modifies numeric literals in the same decodeBatch logic within ERC7579Utils.sol

Suggested labels

bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding a sanity check in ERC7579.decodeBatch when executionCalldata is not at the end of allocated calldata, which directly addresses issue #5395.
Description check	✅ Passed	The description references the linked issue (#5395) and confirms tests and changeset are included, relating to the PR's primary objective of addressing the vulnerability.
Linked Issues check	✅ Passed	The code changes implement the required sanity check by introducing _validateCalldataBound to verify that decoded calldata elements stay within safe bounds, directly addressing the bounds-checking vulnerability described in issue #5395.
Out of Scope Changes check	✅ Passed	All changes are focused on fixing the bounds-checking issue in ERC7579Utils.decodeBatch. The changeset, contract modifications, and test additions are all directly related to the linked issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.changeset/brown-jokes-applaud.md:
- Line 5: The changeset line currently misstates the behavior for ERC7579Utils;
update the entry text so it says the deep sanity check runs when
executionCalldata is not the last buffer in calldata (instead of saying it is
the last). Edit the .changeset/brown-jokes-applaud.md entry and replace the
sentence with a clear phrasing such as: "ERC7579Utils: Add in-depth sanity check
when executionCalldata is not the last buffer in calldata." to match the
implemented condition.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca6f5fa and 355f8cb.

📒 Files selected for processing (3)

• .changeset/brown-jokes-applaud.md
• contracts/account/utils/draft-ERC7579Utils.sol
• test/account/utils/draft-ERC7579Utils.t.sol