Fix EIP-712 & GCS signed integer formatting

* Add support for non-power of 2 type sizes
* Commonize the formatting between EIP-712 & GCS

Author: apaillier-ledger

src/features/generic_tx_parser/gtp_param_raw.c

@@ -3,7 +3,6 @@
 #include "gtp_param_raw.h"
 #include "gtp_field.h"
 #include "uint256.h"
-#include "read.h"
 #include "gtp_field_table.h"
 #include "utils.h"
 #include "shared_context.h"
@@ -111,47 +110,7 @@ bool format_uint(const s_field *field,
 }
 
 bool format_int(const s_value *def, const s_parsed_value *value, char *buf, size_t buf_size) {
-    uint8_t tmp[INT256_LENGTH];
-    bool ret;
-    union {
-        uint256_t value256;
-        uint128_t value128;
-        int64_t value64;
-        int32_t value32;
-        int16_t value16;
-        int8_t value8;
-    } uv;
-
-    buf_shrink_expand(value->ptr, value->length, tmp, def->type_size);
-    switch (def->type_size * 8) {
-        case 256:
-            convertUint256BE(tmp, def->type_size, &uv.value256);
-            ret = tostring256_signed(&uv.value256, 10, buf, buf_size);
-            break;
-        case 128:
-            convertUint128BE(tmp, def->type_size, &uv.value128);
-            ret = tostring128_signed(&uv.value128, 10, buf, buf_size);
-            break;
-        case 64:
-            uv.value64 = read_u64_be(tmp, 0);
-            ret = format_i64(buf, buf_size, uv.value64);
-            break;
-        case 32:
-            uv.value32 = read_u32_be(tmp, 0);
-            ret = format_i64(buf, buf_size, (int64_t) uv.value32);
-            break;
-        case 16:
-            uv.value16 = read_u16_be(tmp, 0);
-            ret = format_i64(buf, buf_size, (int64_t) uv.value16);
-            break;
-        case 8:
-            uv.value8 = value->ptr[0];
-            ret = format_i64(buf, buf_size, (int64_t) uv.value8);
-            break;
-        default:
-            ret = false;
-    }
-    return ret;
+    return format_signed_int_be(value->ptr, value->length, def->type_size, buf, buf_size);
 }
 
 /**

src/features/sign_message_eip712/ui_logic.c

@@ -2,6 +2,7 @@
 #include "app_mem_utils.h"
 #include "mem_utils.h"
 #include "os_io.h"
+#include "format.h"
 #include "common_utils.h"  // uint256_to_decimal
 #include "common_712.h"
 #include "context_712.h"     // eip712_context_deinit
@@ -468,62 +469,18 @@ static bool ui_712_format_int(const uint8_t *data,
                               uint8_t length,
                               bool first,
                               const s_struct_712_field *field_ptr) {
-    uint256_t value256;
-    uint128_t value128;
-    int32_t value32;
-    int16_t value16;
-    int8_t value8;
-    uint8_t tmp[sizeof(int32_t)] = {0};
-
     // no reason for an integer to be received over multiple chunks
     if (!first) {
         return false;
     }
-    if (length < 1) {
+    if (!format_signed_int_be(data,
+                              length,
+                              field_ptr->type_size,
+                              strings.tmp.tmp,
+                              sizeof(strings.tmp.tmp))) {
         apdu_response_code = SWO_INCORRECT_DATA;
         return false;
     }
-    if (length > field_ptr->type_size) {
-        apdu_response_code = SWO_INCORRECT_DATA;
-        return false;
-    }
-
-    switch (field_ptr->type_size * 8) {
-        case 256:
-            convertUint256BE(data, length, &value256);
-            tostring256_signed(&value256, 10, strings.tmp.tmp, sizeof(strings.tmp.tmp));
-            break;
-        case 128:
-            convertUint128BE(data, length, &value128);
-            tostring128_signed(&value128, 10, strings.tmp.tmp, sizeof(strings.tmp.tmp));
-            break;
-        case 64:
-            convertUint64BEto128(data, length, &value128);
-            tostring128_signed(&value128, 10, strings.tmp.tmp, sizeof(strings.tmp.tmp));
-            break;
-        case 32:
-            buf_shrink_expand(data, length, tmp, sizeof(int32_t));
-            value32 = (int32_t) read_u32_be(tmp, 0);
-            snprintf(strings.tmp.tmp, sizeof(strings.tmp.tmp), "%d", value32);
-            break;
-        case 16:
-            buf_shrink_expand(data, length, tmp, sizeof(int16_t));
-            value16 = (int16_t) read_u16_be(tmp, 0);
-            snprintf(strings.tmp.tmp, sizeof(strings.tmp.tmp), "%d", value16);
-            break;
-        case 8:
-            if (length != sizeof(int8_t)) {
-                apdu_response_code = SWO_INCORRECT_DATA;
-                return false;
-            }
-            value8 = (int8_t) data[0];
-            snprintf(strings.tmp.tmp, sizeof(strings.tmp.tmp), "%d", value8);
-            break;
-        default:
-            PRINTF("Unhandled field typesize\n");
-            apdu_response_code = SWO_INCORRECT_DATA;
-            return false;
-    }
     return true;
 }
 

src/utils.c

@@ -1,6 +1,67 @@
 #include <ctype.h>
 #include <string.h>
 #include "utils.h"
+#include "common_utils.h"
+#include "uint128.h"
+#include "uint256.h"
+#include "format.h"
+#include "read.h"
+
+/**
+ * @brief Format a big-endian signed integer as a decimal string
+ *
+ * Mirrors the ABI encode_int() sign convention: a value is treated as negative
+ * only when it arrives at full type width and has its MSB set. Shorter values
+ * are always treated as non-negative and formatted via uint256_to_decimal.
+ *
+ * @param[in]  data      Raw big-endian bytes of the value
+ * @param[in]  length    Number of bytes in data (must be 1..type_size)
+ * @param[in]  type_size Declared byte width of the integer type (e.g. 32 for int256)
+ * @param[out] buf       Output string buffer
+ * @param[in]  buf_size  Size of buf
+ * @return true on success, false on invalid input or formatting failure
+ */
+bool format_signed_int_be(const uint8_t *data,
+                          uint8_t length,
+                          uint8_t type_size,
+                          char *buf,
+                          size_t buf_size) {
+    uint8_t tmp[INT256_LENGTH];
+    union {
+        uint256_t value256;
+        uint128_t value128;
+        int64_t value64;
+    } uv;
+
+    if ((length == 0) || (length > type_size)) {
+        return false;
+    }
+
+    // Positive if truncated or MSB not set — treat as unsigned
+    if ((length != type_size) || ((data[0] & 0x80) == 0)) {
+        return uint256_to_decimal(data, length, buf, buf_size);
+    }
+
+    // Negative: sign-extend with 0xFF into the smallest fitting container
+    if (type_size <= sizeof(uv.value64)) {
+        memset(tmp, 0xFF, sizeof(uv.value64) - length);
+        memcpy(tmp + sizeof(uv.value64) - length, data, length);
+        uv.value64 = (int64_t) read_u64_be(tmp, 0);
+        return format_i64(buf, buf_size, uv.value64);
+    } else if (type_size <= sizeof(uv.value128)) {
+        memset(tmp, 0xFF, sizeof(uv.value128) - length);
+        memcpy(tmp + sizeof(uv.value128) - length, data, length);
+        convertUint128BE(tmp, sizeof(uv.value128), &uv.value128);
+        return tostring128_signed(&uv.value128, 10, buf, buf_size);
+    } else if (type_size <= sizeof(uv.value256)) {
+        memset(tmp, 0xFF, sizeof(uv.value256) - length);
+        memcpy(tmp + sizeof(uv.value256) - length, data, length);
+        convertUint256BE(tmp, sizeof(uv.value256), &uv.value256);
+        return tostring256_signed(&uv.value256, 10, buf, buf_size);
+    }
+    PRINTF("Error: wrong int typesize (%u bytes)\n", type_size);
+    return false;
+}
 
 /**
  * @brief Shrinks or expands a buffer to fit a destination size

src/utils.h

@@ -2,9 +2,15 @@
 
 #include <stdint.h>
 #include <stdbool.h>
+#include <stddef.h>
 
 #define SET_BIT(a) (1 << a)
 
 void buf_shrink_expand(const uint8_t *src, size_t src_size, uint8_t *dst, size_t dst_size);
 void str_cpy_explicit_trunc(const char *src, size_t src_size, char *dst, size_t dst_size);
 void reverseString(char *const str, uint32_t length);
+bool format_signed_int_be(const uint8_t *data,
+                          uint8_t length,
+                          uint8_t type_size,
+                          char *buf,
+                          size_t buf_size);