diff options
| author | Gregory Maxwell <[email protected]> | 2017-02-06 02:52:27 +0000 |
|---|---|---|
| committer | Gregory Maxwell <[email protected]> | 2017-02-06 02:52:27 +0000 |
| commit | 45f09618f22f0a59d872818f28fc2a938cc98311 (patch) | |
| tree | fd1f094b1d3476bd1908413f5c94d96f33f1d349 /src | |
| parent | Merge #9578: Add missing mempool lock for CalculateMemPoolAncestors (diff) | |
| download | discoin-45f09618f22f0a59d872818f28fc2a938cc98311.tar.xz discoin-45f09618f22f0a59d872818f28fc2a938cc98311.zip | |
Prevent integer overflow in ReadVarInt.
We don't normally use ReadVarInt from untrusted inputs, but we might
see this in the case of corruption.
This is exposed in test_bitcoin_fuzzy.
Diffstat (limited to 'src')
| -rw-r--r-- | src/serialize.h | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/serialize.h b/src/serialize.h index e4d72d234..e82ddf2c5 100644 --- a/src/serialize.h +++ b/src/serialize.h @@ -336,11 +336,18 @@ I ReadVarInt(Stream& is) I n = 0; while(true) { unsigned char chData = ser_readdata8(is); + if (n > (std::numeric_limits<I>::max() >> 7)) { + throw std::ios_base::failure("ReadVarInt(): size too large"); + } n = (n << 7) | (chData & 0x7F); - if (chData & 0x80) + if (chData & 0x80) { + if (n == std::numeric_limits<I>::max()) { + throw std::ios_base::failure("ReadVarInt(): size too large"); + } n++; - else + } else { return n; + } } } |