Fix(RLP): reject trailing bytes in scalar/data decoders

[BhariGowda]

<## Motivation
Fixes #6515

RLP scalar decoders (decodeUint256, decodeBytes, decodeBytes32,
decodeBool, decodeAddress, decodeString) silently ignored trailing
bytes after a valid RLP data item.

For example:

• decodeUint256(0x0102) returned 1 instead of reverting
• decodeBytes(0x83646f6780) returned dog instead of reverting

decodeList already correctly rejected trailing bytes — this fix
brings scalar decoders in line with the same behavior.

Changes

Added trailing bytes check to readUint256 and readBytes:

• readUint256: require itemOffset + itemLength == item.length()
• readBytes: require offset + length == item.length()

readBytes32, decodeBool, decodeAddress, decodeString all
delegate to these two functions so are fixed automatically.

Testing

Added 3 regression tests. All 20 tests pass.

[changeset-bot]

🦋 Changeset detected

Latest commit: f9c7e94

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
openzeppelin-solidity	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: abf7dfa4-9726-4cd7-9476-3e44de1e53eb

📥 Commits

Reviewing files that changed from the base of the PR and between 8b010f9 and f9c7e94.

📒 Files selected for processing (3)

• .changeset/common-frogs-pick.md
• contracts/utils/RLP.sol
• test/utils/RLP.test.js

---

Walkthrough

This PR fixes a correctness bug in the RLP decoder library where scalar decoders (readUint256, readBytes, and related functions) were accepting inputs with trailing bytes after a valid decoded data item. The fix adds stricter boundary validation to both readUint256 and readBytes to ensure the decoded item length exactly matches the provided input slice. Three test cases verify the decoders now properly reject malformed RLP payloads with trailing bytes.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: fixing RLP decoders to reject trailing bytes in scalar/data decoders.
Description check	✅ Passed	The description directly relates to the changeset, explaining the motivation, changes made, and testing performed for the RLP trailing bytes fix.
Linked Issues check	✅ Passed	The PR fully addresses issue #6515 by adding trailing-byte checks to readUint256 and readBytes, ensuring all affected scalar decoders reject malformed inputs with trailing bytes.
Out of Scope Changes check	✅ Passed	All changes are in-scope: modifications to RLP.sol implement the required trailing-byte validation, test cases verify the fix, and the changeset documents the update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Amxx]

#6515 (comment)