Browse Source

Prevent integer overflow in ReadVarInt.

We don't normally use ReadVarInt from untrusted inputs, but we might
 see this in the case of corruption.

This is exposed in test_bitcoin_fuzzy.
0.15
Gregory Maxwell 8 years ago
parent
commit
45f09618f2
  1. 11
      src/serialize.h

11
src/serialize.h

@ -336,13 +336,20 @@ I ReadVarInt(Stream& is)
I n = 0; I n = 0;
while(true) { while(true) {
unsigned char chData = ser_readdata8(is); unsigned char chData = ser_readdata8(is);
if (n > (std::numeric_limits<I>::max() >> 7)) {
throw std::ios_base::failure("ReadVarInt(): size too large");
}
n = (n << 7) | (chData & 0x7F); n = (n << 7) | (chData & 0x7F);
if (chData & 0x80) if (chData & 0x80) {
if (n == std::numeric_limits<I>::max()) {
throw std::ios_base::failure("ReadVarInt(): size too large");
}
n++; n++;
else } else {
return n; return n;
} }
} }
}
#define FLATDATA(obj) REF(CFlatData((char*)&(obj), (char*)&(obj) + sizeof(obj))) #define FLATDATA(obj) REF(CFlatData((char*)&(obj), (char*)&(obj) + sizeof(obj)))
#define VARINT(obj) REF(WrapVarInt(REF(obj))) #define VARINT(obj) REF(WrapVarInt(REF(obj)))

Loading…
Cancel
Save