Detect MerkleProof multiproof invariant violation

[frangio]

Cherry picked fix for GHSA-wprv-93r4-jj2p with adjustments for custom errors from 4d2383e in release-v4.9.

[changeset-bot]

🦋 Changeset detected

Latest commit: bd44698

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
openzeppelin-solidity	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[ernestognw]

Neat, thanks!

[frangio]

Coverage says these new revert statements are not tested, but they are... I'm starting to think solidity-coverage doesn't understand revert statement.

[ernestognw]

Not quite, seems like the test is not hitting the second case. Note that in Codecov appears twice because we have the memory and the calldata version of the same function

I'll take a look

[frangio]

Ah, I see, I was misunderstanding the coverage report. I just pushed a change that covers the right revert statement.

[Amxx]

Shouldn't we cherrypick the commit that includes the 4.9.2 changelog rather than getting the changeset ?

[frangio]

I was planning to merge this then merge the release branch which would remove the changeset and update the changelog and package.json.

[Amxx]

In a perfect world I would have prefered the 4.9 release branch to bring that into master, and then fix the custom error in a PR that is "string → custom error" ...

... but that is workflow stuff.

code LGTM