Prevent integer overflow in ReadVarInt.

We don't normally use ReadVarInt from untrusted inputs, but we might see this in the case of corruption. This is exposed in test_bitcoin_fuzzy.
8 years ago · 45f09618f2
1 changed files with 9 additions and 2 deletions
--- a/src/serialize.h
+++ b/src/serialize.h
@ -336,13 +336,20 @@ I ReadVarInt(Stream& is)
				@@ -336,13 +336,20 @@ I ReadVarInt(Stream& is)
    I n = 0;
    while(true) {
        unsigned char chData = ser_readdata8(is);
+        if (n > (std::numeric_limits<I>::max() >> 7)) {
+           throw std::ios_base::failure("ReadVarInt(): size too large");
+        }
        n = (n << 7) | (chData & 0x7F);
-        if (chData & 0x80)
+        if (chData & 0x80) {
+            if (n == std::numeric_limits<I>::max()) {
+                throw std::ios_base::failure("ReadVarInt(): size too large");
+            }
            n++;
-        else
+        } else {
            return n;
        }
    }
+}

 #define FLATDATA(obj) REF(CFlatData((char*)&(obj), (char*)&(obj) + sizeof(obj)))
 #define VARINT(obj) REF(WrapVarInt(REF(obj)))