offers: avoid panic when truncating payer_note in UTF-8 code point

phlip9 · phlip9 · commit ce744a288977 · 2025-04-22T18:04:01.000-07:00
diff --git a/lightning/src/offers/invoice_request.rs b/lightning/src/offers/invoice_request.rs
@@ -998,15 +998,54 @@ impl VerifiedInvoiceRequest {
 		InvoiceRequestFields {
 			payer_signing_pubkey: *payer_signing_pubkey,
 			quantity: *quantity,
-			payer_note_truncated: payer_note.clone().map(|mut s| {
-				s.truncate(PAYER_NOTE_LIMIT);
-				UntrustedString(s)
-			}),
+			payer_note_truncated: payer_note
+				.clone()
+				// Truncate the payer note to `PAYER_NOTE_LIMIT` bytes, rounding
+				// down to the nearest valid UTF-8 code point boundary.
+				.map(|s| UntrustedString(string_truncate_safe(s, PAYER_NOTE_LIMIT))),
 			human_readable_name: self.offer_from_hrn().clone(),
 		}
 	}
 }
 
+/// `String.truncate(new_len)` panics if you split on a UTF-8 code point. This
+/// function will instead truncate the string to the next smaller code point
+/// boundary.
+///
+/// This can still split a grapheme cluster, but that's probably fine.
+/// We'd otherwise have to pull in the `unicode-segmentation` crate and its big
+/// unicode tables to find the next smaller grapheme cluster boundary.
+fn string_truncate_safe(mut s: String, new_len: usize) -> String {
+	/// Returns true if a byte is the first byte of a UTF-8 code point sequence.
+	// TODO(phlip9): remove when std stabilizes `str::floor_char_boundary`.
+	#[inline]
+	const fn u8_is_utf8_char_boundary(b: u8) -> bool {
+		// This is bit magic equivalent to: b < 128 || b >= 192
+		(b as i8) >= -0x40
+	}
+
+	/// Finds the closest `x` not exceeding `index` where `s.is_char_boundary(x)`
+	/// is true.
+	// TODO(phlip9): remove when std stabilizes `str::floor_char_boundary`.
+	#[inline]
+	fn str_floor_char_boundary(s: &str, index: usize) -> usize {
+		if index >= s.len() {
+			s.len()
+		} else {
+			let lower_bound = index.saturating_sub(3);
+			let new_index = s.as_bytes()[lower_bound..=index]
+				.iter()
+				.rposition(|b| u8_is_utf8_char_boundary(*b))
+				.unwrap_or(0);
+			lower_bound + new_index
+		}
+	}
+
+	let truncated_len = str_floor_char_boundary(s.as_str(), new_len);
+	s.truncate(truncated_len);
+	s
+}
+
 impl InvoiceRequestContents {
 	pub(super) fn metadata(&self) -> &[u8] {
 		self.inner.metadata()
@@ -2947,14 +2986,20 @@ mod tests {
 			.unwrap();
 		assert_eq!(offer.issuer_signing_pubkey(), Some(node_id));
 
+		// UTF-8 payer note that we can't naively `.truncate(PAYER_NOTE_LIMIT)`
+		// because it would split a multi-byte UTF-8 code point.
+		let payer_note = "❤️".repeat(86);
+		assert_eq!(payer_note.len(), PAYER_NOTE_LIMIT + 4);
+		let expected_payer_note = "❤️".repeat(85);
+
 		let invoice_request = offer
 			.request_invoice(&expanded_key, nonce, &secp_ctx, payment_id)
 			.unwrap()
 			.chain(Network::Testnet)
 			.unwrap()
 			.quantity(1)
 			.unwrap()
-			.payer_note("0".repeat(PAYER_NOTE_LIMIT * 2))
+			.payer_note(payer_note)
 			.build_and_sign()
 			.unwrap();
 		match invoice_request.verify_using_metadata(&expanded_key, &secp_ctx) {
@@ -2966,7 +3011,7 @@ mod tests {
 					InvoiceRequestFields {
 						payer_signing_pubkey: invoice_request.payer_signing_pubkey(),
 						quantity: Some(1),
-						payer_note_truncated: Some(UntrustedString("0".repeat(PAYER_NOTE_LIMIT))),
+						payer_note_truncated: Some(UntrustedString(expected_payer_note)),
 						human_readable_name: None,
 					}
 				);
