cosmos
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/main.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎app/Makefile.version‎
Lines changed: 1 addition & 1 deletion b/‎app/Makefile.version‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/src/apdu_handler.c‎
Lines changed: 13 additions & 2 deletions b/‎app/src/apdu_handler.c‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎app/src/json/json_parser.c‎
Lines changed: 6 additions & 6 deletions b/‎app/src/json/json_parser.c‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎app/src/tx_display.c‎
Lines changed: 1 addition & 1 deletion b/‎app/src/tx_display.c‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests_zemu/snapshots/ap-mainmenu/00004.png‎
42 Bytes b/‎tests_zemu/snapshots/ap-mainmenu/00004.png‎
42 Bytes
diff --git a/‎tests_zemu/snapshots/ap-sign_basic/00001.png‎
-51 Bytes b/‎tests_zemu/snapshots/ap-sign_basic/00001.png‎
-51 Bytes
diff --git a/‎tests_zemu/snapshots/ap-sign_basic/00002.png‎
-1.82 KB b/‎tests_zemu/snapshots/ap-sign_basic/00002.png‎
-1.82 KB
diff --git a/‎tests_zemu/snapshots/ap-sign_basic_extra_fields/00001.png‎
-51 Bytes b/‎tests_zemu/snapshots/ap-sign_basic_extra_fields/00001.png‎
-51 Bytes
diff --git a/‎tests_zemu/snapshots/ap-sign_basic_extra_fields/00002.png‎
-1.82 KB b/‎tests_zemu/snapshots/ap-sign_basic_extra_fields/00002.png‎
-1.82 KB
@@ -16,4 +16,6 @@ jobs:
       runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' || 'ubuntu-latest' }}
       has-rust: false
       has-nanos: false
-      node-version: '22'
+      node-version: '22'
+    permissions:                                                            
+        contents: write  # Required for creating releases   
@@ -3,4 +3,4 @@ APPVERSION_M=2
 # This is the `spec_version` field of `Runtime`
 APPVERSION_N=38
 # This is the patch version of this release
-APPVERSION_P=8
+APPVERSION_P=9
@@ -221,12 +221,23 @@ __Z_INLINE void handleSign(volatile uint32_t *flags, volatile uint32_t *tx,
     THROW(APDU_CODE_DATA_INVALID);
   }
 
-  if (rx < VIEW_ADDRESS_OFFSET_SECP256K1) {
+  // Put address in output buffer, we will use it to confirm source address
+  zxerr_t zxerr = app_fill_address();
+  if (zxerr != zxerr_ok) {
+    *tx = 0;
+    THROW(APDU_CODE_DATA_INVALID);
+  }
+
+  // Safety: ensure response contains more than just pubkey
+  if (action_addrResponseLen <= PK_LEN_SECP256K1) {
+    *tx = 0;
     THROW(APDU_CODE_DATA_INVALID);
   }
+
   parser_tx_obj.tx_json.own_addr =
       (const char *)(G_io_apdu_buffer + VIEW_ADDRESS_OFFSET_SECP256K1);
-  parser_tx_obj.tx_json.own_addr_len = rx - VIEW_ADDRESS_OFFSET_SECP256K1;
+  parser_tx_obj.tx_json.own_addr_len =
+      action_addrResponseLen - PK_LEN_SECP256K1;
   const char *error_msg = tx_parse(sign_type);
   if (error_msg != NULL) {
     const int error_msg_length = strnlen(error_msg, sizeof(G_io_apdu_buffer));
 
@@ -94,7 +94,7 @@ parser_error_t array_get_element_count(const parsed_json_t *json,
   }
 
   *number_elements = 0;
-  if (array_token_index > json->numberOfTokens) {
+  if (array_token_index >= json->numberOfTokens) {
     return parser_no_data;
   }
 
@@ -128,7 +128,7 @@ parser_error_t array_get_nth_element(const parsed_json_t *json,
     return parser_unexpected_value;
   }
 
-  if (array_token_index > json->numberOfTokens) {
+  if (array_token_index >= json->numberOfTokens) {
     return parser_no_data;
   }
 
@@ -167,7 +167,7 @@ parser_error_t object_get_element_count(const parsed_json_t *json,
   }
 
   *element_count = 0;
-  if (object_token_index > json->numberOfTokens) {
+  if (object_token_index >= json->numberOfTokens) {
     return parser_no_data;
   }
 
@@ -203,7 +203,7 @@ parser_error_t object_get_nth_key(const parsed_json_t *json,
   }
 
   *token_index = object_token_index;
-  if (object_token_index > json->numberOfTokens) {
+  if (object_token_index >= json->numberOfTokens) {
     return parser_no_data;
   }
 
@@ -242,7 +242,7 @@ parser_error_t object_get_nth_value(const parsed_json_t *json,
     return parser_unexpected_value;
   }
 
-  if (object_token_index > json->numberOfTokens) {
+  if (object_token_index >= json->numberOfTokens) {
     return parser_no_data;
   }
 
@@ -260,7 +260,7 @@ parser_error_t object_get_value(const parsed_json_t *json,
     return parser_unexpected_value;
   }
 
-  if (object_token_index > json->numberOfTokens) {
+  if (object_token_index >= json->numberOfTokens) {
     return parser_no_data;
   }
 
 
@@ -694,7 +694,7 @@ parser_error_t tx_display_translation(char *dst, uint16_t dstLen, char *src,
   }
 
   if (src[srcLen - 1] == ' ' || src[srcLen - 1] == '@') {
-    if (src[dstLen - 1] + 1 > dstLen) {
+    if (count >= dstLen) {
       return parser_unexpected_value;
     }
     ASSERT_PTR_BOUNDS(count, dstLen);
Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ parser_error_t array_get_element_count(const parsed_json_t *json,`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`*number_elements = 0;`
`97`		`- if (array_token_index > json->numberOfTokens) {`
	`97`	`+ if (array_token_index >= json->numberOfTokens) {`
`98`	`98`	`return parser_no_data;`
`99`	`99`	`}`
`100`	`100`
`@@ -128,7 +128,7 @@ parser_error_t array_get_nth_element(const parsed_json_t *json,`
`128`	`128`	`return parser_unexpected_value;`
`129`	`129`	`}`
`130`	`130`
`131`		`- if (array_token_index > json->numberOfTokens) {`
	`131`	`+ if (array_token_index >= json->numberOfTokens) {`
`132`	`132`	`return parser_no_data;`
`133`	`133`	`}`
`134`	`134`
`@@ -167,7 +167,7 @@ parser_error_t object_get_element_count(const parsed_json_t *json,`
`167`	`167`	`}`
`168`	`168`
`169`	`169`	`*element_count = 0;`
`170`		`- if (object_token_index > json->numberOfTokens) {`
	`170`	`+ if (object_token_index >= json->numberOfTokens) {`
`171`	`171`	`return parser_no_data;`
`172`	`172`	`}`
`173`	`173`
`@@ -203,7 +203,7 @@ parser_error_t object_get_nth_key(const parsed_json_t *json,`
`203`	`203`	`}`
`204`	`204`
`205`	`205`	`*token_index = object_token_index;`
`206`		`- if (object_token_index > json->numberOfTokens) {`
	`206`	`+ if (object_token_index >= json->numberOfTokens) {`
`207`	`207`	`return parser_no_data;`
`208`	`208`	`}`
`209`	`209`
`@@ -242,7 +242,7 @@ parser_error_t object_get_nth_value(const parsed_json_t *json,`
`242`	`242`	`return parser_unexpected_value;`
`243`	`243`	`}`
`244`	`244`
`245`		`- if (object_token_index > json->numberOfTokens) {`
	`245`	`+ if (object_token_index >= json->numberOfTokens) {`
`246`	`246`	`return parser_no_data;`
`247`	`247`	`}`
`248`	`248`
`@@ -260,7 +260,7 @@ parser_error_t object_get_value(const parsed_json_t *json,`
`260`	`260`	`return parser_unexpected_value;`
`261`	`261`	`}`
`262`	`262`
`263`		`- if (object_token_index > json->numberOfTokens) {`
	`263`	`+ if (object_token_index >= json->numberOfTokens) {`
`264`	`264`	`return parser_no_data;`
`265`	`265`	`}`
`266`	`266`
Original file line number	Diff line number	Diff line change
`@@ -694,7 +694,7 @@ parser_error_t tx_display_translation(char dst, uint16_t dstLen, char src,`
`694`	`694`	`}`
`695`	`695`
`696`	`696`	`if (src[srcLen - 1] == ' ' \|\| src[srcLen - 1] == '@') {`
`697`		`- if (src[dstLen - 1] + 1 > dstLen) {`
	`697`	`+ if (count >= dstLen) {`
`698`	`698`	`return parser_unexpected_value;`
`699`	`699`	`}`
`700`	`700`	`ASSERT_PTR_BOUNDS(count, dstLen);`