fix(api): validate block number range in parseBlockNumber

parseBlockNumber previously returned BigInteger, letting callers narrow
with .longValue() and silently wrap past Long.MAX_VALUE. Return long
directly and enforce two invariants at the API boundary so corrupted
inputs never reach downstream block lookups:

- signum check rejects negative inputs (both "-1" and "0x-1"),
  a protocol-level constraint block numbers can never violate
- longValueExact rejects values that overflow signed 64-bit,
  including uint64 wraparounds like 0xffffffffffffffff

Callers in Wallet and TronJsonRpcImpl drop the obsolete .longValue()
call; the other three call sites already discarded the return value.

Regression tests cover negatives, 0x7fffffffffffffff (max long),
0x8000000000000000 (just past), and 0xffffffffffffffff (uint64).

Author: bladehan1

framework/src/main/java/org/tron/core/Wallet.java

@@ -743,7 +743,7 @@ public Block getByJsonBlockId(String id) throws JsonRpcInvalidParamsException {
     } else if (PENDING_STR.equalsIgnoreCase(id)) {
       throw new JsonRpcInvalidParamsException(TAG_PENDING_SUPPORT_ERROR);
     } else {
-      long blockNumber = parseBlockNumber(id).longValue();
+      long blockNumber = parseBlockNumber(id);
       return getBlockByNum(blockNumber);
     }
   }

framework/src/main/java/org/tron/core/services/jsonrpc/JsonRpcApiUtil.java

@@ -527,19 +527,30 @@ public static long parseEnergyFee(long timestamp, String energyPriceHistory) {
   private static final String BLOCK_NUM_ERROR = "invalid block number";
 
   /**
-   * Parse a JSON-RPC block number (hex "0x..." or decimal) into a BigInteger,
-   * enforcing the {@link #MAX_BLOCK_NUM_HEX_LEN} length limit.
+   * Parse a JSON-RPC block number (hex "0x..." or decimal) into a long,
+   * enforcing the {@link #MAX_BLOCK_NUM_HEX_LEN} length limit, rejecting
+   * negative values, and rejecting values that overflow a signed 64-bit
+   * block number.
    */
-  public static BigInteger parseBlockNumber(String blockNumOrTag)
+  public static long parseBlockNumber(String blockNumOrTag)
       throws JsonRpcInvalidParamsException {
     if (blockNumOrTag == null || blockNumOrTag.length() > MAX_BLOCK_NUM_HEX_LEN) {
       throw new JsonRpcInvalidParamsException(BLOCK_NUM_ERROR);
     }
+    BigInteger value;
     try {
-      return ByteArray.hexToBigInteger(blockNumOrTag);
+      value = ByteArray.hexToBigInteger(blockNumOrTag);
     } catch (Exception e) {
       throw new JsonRpcInvalidParamsException(BLOCK_NUM_ERROR);
     }
+    if (value.signum() < 0) {
+      throw new JsonRpcInvalidParamsException(BLOCK_NUM_ERROR);
+    }
+    try {
+      return value.longValueExact();
+    } catch (ArithmeticException e) {
+      throw new JsonRpcInvalidParamsException(BLOCK_NUM_ERROR);
+    }
   }
 
   public static long getByJsonBlockId(String blockNumOrTag, Wallet wallet)

framework/src/main/java/org/tron/core/services/jsonrpc/TronJsonRpcImpl.java

@@ -957,7 +957,7 @@ public String getCall(CallArguments transactionCall, Object blockParamObj)
           throw new JsonRpcInvalidParamsException(JSON_ERROR);
         }
 
-        long blockNumber = parseBlockNumber(blockNumOrTag).longValue();
+        long blockNumber = parseBlockNumber(blockNumOrTag);
 
         if (wallet.getBlockByNum(blockNumber) == null) {
           throw new JsonRpcInternalException(NO_BLOCK_HEADER);

framework/src/test/java/org/tron/core/services/jsonrpc/JsonRpcApiUtilTest.java

@@ -3,29 +3,48 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThrows;
 
-import java.math.BigInteger;
 import org.junit.Test;
 import org.tron.core.exception.jsonrpc.JsonRpcInvalidParamsException;
 
 public class JsonRpcApiUtilTest {
 
   @Test
   public void parseBlockNumberAcceptsHex() throws JsonRpcInvalidParamsException {
-    assertEquals(BigInteger.valueOf(0x1a), JsonRpcApiUtil.parseBlockNumber("0x1a"));
-    assertEquals(BigInteger.ZERO, JsonRpcApiUtil.parseBlockNumber("0x0"));
+    assertEquals(0x1aL, JsonRpcApiUtil.parseBlockNumber("0x1a"));
+    assertEquals(0L, JsonRpcApiUtil.parseBlockNumber("0x0"));
   }
 
   @Test
   public void parseBlockNumberAcceptsDecimal() throws JsonRpcInvalidParamsException {
-    assertEquals(BigInteger.valueOf(12345), JsonRpcApiUtil.parseBlockNumber("12345"));
+    assertEquals(12345L, JsonRpcApiUtil.parseBlockNumber("12345"));
   }
 
   @Test
-  public void parseBlockNumberAcceptsMaxLength() throws JsonRpcInvalidParamsException {
-    // 0x + 98 hex chars = 100 chars total, at the limit
-    String maxValid = "0x" + new String(new char[98]).replace('\0', 'f');
-    assertEquals(100, maxValid.length());
-    JsonRpcApiUtil.parseBlockNumber(maxValid);
+  public void parseBlockNumberAcceptsMaxLongValue() throws JsonRpcInvalidParamsException {
+    assertEquals(Long.MAX_VALUE,
+        JsonRpcApiUtil.parseBlockNumber("0x7fffffffffffffff"));
+  }
+
+  @Test
+  public void parseBlockNumberRejectsNegative() {
+    JsonRpcInvalidParamsException e1 = assertThrows(JsonRpcInvalidParamsException.class,
+        () -> JsonRpcApiUtil.parseBlockNumber("-1"));
+    assertEquals("invalid block number", e1.getMessage());
+    JsonRpcInvalidParamsException e2 = assertThrows(JsonRpcInvalidParamsException.class,
+        () -> JsonRpcApiUtil.parseBlockNumber("0x-1"));
+    assertEquals("invalid block number", e2.getMessage());
+  }
+
+  @Test
+  public void parseBlockNumberRejectsOverflow() {
+    // 2^64 - 1: fits uint64 but overflows signed long
+    JsonRpcInvalidParamsException e1 = assertThrows(JsonRpcInvalidParamsException.class,
+        () -> JsonRpcApiUtil.parseBlockNumber("0xffffffffffffffff"));
+    assertEquals("invalid block number", e1.getMessage());
+    // 2^63: just past Long.MAX_VALUE
+    JsonRpcInvalidParamsException e2 = assertThrows(JsonRpcInvalidParamsException.class,
+        () -> JsonRpcApiUtil.parseBlockNumber("0x8000000000000000"));
+    assertEquals("invalid block number", e2.getMessage());
   }
 
   @Test