Do not allow allow reading beyond calldata

packages/utils/src/abi_encoder/calldata/raw_calldata.ts

@@ -31,8 +31,13 @@ export class RawCalldata {
     }
 
     public popBytes(lengthInBytes: number): Buffer {
-        const value = this._value.slice(this._offset, this._offset + lengthInBytes);
-        this.setOffset(this._offset + lengthInBytes);
+        const popBegin = this._offset;
+        const popEnd = popBegin + lengthInBytes;
+        if (popEnd > this._value.byteLength) {
+            throw new Error(`Tried to decode beyond the end of calldata`);
+        }
+        const value = this._value.slice(popBegin, popEnd);
+        this.setOffset(popEnd);
         return value;
     }
 

packages/utils/test/abi_encoder/evm_data_types_test.ts

@@ -800,6 +800,18 @@ describe('ABI Encoder: EVM Data Type Encoding/Decoding', () => {
             const decodedArgs = dataType.decode(nullEncodedArgs);
             expect(decodedArgs).to.be.deep.equal(args);
         });
+        it('Should fail to decode if not enough bytes in calldata', async () => {
+            // Create DataType object
+            const testDataItem = { name: 'Integer (256)', type: 'int' };
+            const dataType = new AbiEncoder.Int(testDataItem);
+            const args = new BigNumber(0);
+            const encodedArgs = dataType.encode(args, encodingRules);
+            const encodedArgsTruncated = encodedArgs.substr(0, 60);
+            // Encode Args and validate result
+            expect(() => {
+                dataType.decode(encodedArgsTruncated);
+            }).to.throw();
+        });
     });
 
     describe('Unsigned Integer', () => {