diff options
| author | MarcoFalke <falke.marco@gmail.com> | 2021-11-02 21:59:39 +0100 |
|---|---|---|
| committer | MacroFake <falke.marco@gmail.com> | 2022-06-22 09:32:09 +0200 |
| commit | fa07f84e316171d60dd9941fb8db37e0a0de6654 (patch) | |
| tree | 58bcd96dc55f91fe4ea8104b1a59058af78c8c17 | |
| parent | fa52cf8e11b3af6e0a302d5d17aab6cea78899d5 (diff) | |
| download | bitcoin-fa07f84e316171d60dd9941fb8db37e0a0de6654.tar.xz | |
Fix signed integer overflow in prioritisetransaction RPC
| -rw-r--r-- | src/txmempool.cpp | 13 | ||||
| -rw-r--r-- | test/sanitizer_suppressions/ubsan | 4 |
2 files changed, 9 insertions, 8 deletions
diff --git a/src/txmempool.cpp b/src/txmempool.cpp index 9f785d4115..b2417190cf 100644 --- a/src/txmempool.cpp +++ b/src/txmempool.cpp @@ -16,6 +16,7 @@ #include <reverse_iterator.h> #include <util/check.h> #include <util/moneystr.h> +#include <util/overflow.h> #include <util/system.h> #include <util/time.h> #include <validationinterface.h> @@ -93,9 +94,9 @@ CTxMemPoolEntry::CTxMemPoolEntry(const CTransactionRef& tx, CAmount fee, void CTxMemPoolEntry::UpdateModifiedFee(CAmount fee_diff) { - nModFeesWithDescendants += fee_diff; - nModFeesWithAncestors += fee_diff; - m_modified_fee += fee_diff; + nModFeesWithDescendants = SaturatingAdd(nModFeesWithDescendants, fee_diff); + nModFeesWithAncestors = SaturatingAdd(nModFeesWithAncestors, fee_diff); + m_modified_fee = SaturatingAdd(m_modified_fee, fee_diff); } void CTxMemPoolEntry::UpdateLockPoints(const LockPoints& lp) @@ -437,7 +438,7 @@ void CTxMemPoolEntry::UpdateDescendantState(int64_t modifySize, CAmount modifyFe { nSizeWithDescendants += modifySize; assert(int64_t(nSizeWithDescendants) > 0); - nModFeesWithDescendants += modifyFee; + nModFeesWithDescendants = SaturatingAdd(nModFeesWithDescendants, modifyFee); nCountWithDescendants += modifyCount; assert(int64_t(nCountWithDescendants) > 0); } @@ -446,7 +447,7 @@ void CTxMemPoolEntry::UpdateAncestorState(int64_t modifySize, CAmount modifyFee, { nSizeWithAncestors += modifySize; assert(int64_t(nSizeWithAncestors) > 0); - nModFeesWithAncestors += modifyFee; + nModFeesWithAncestors = SaturatingAdd(nModFeesWithAncestors, modifyFee); nCountWithAncestors += modifyCount; assert(int64_t(nCountWithAncestors) > 0); nSigOpCostWithAncestors += modifySigOps; @@ -921,7 +922,7 @@ void CTxMemPool::PrioritiseTransaction(const uint256& hash, const CAmount& nFeeD { LOCK(cs); CAmount &delta = mapDeltas[hash]; - delta += nFeeDelta; + delta = SaturatingAdd(delta, nFeeDelta); txiter it = mapTx.find(hash); if (it != mapTx.end()) { mapTx.modify(it, [&nFeeDelta](CTxMemPoolEntry& e) { e.UpdateModifiedFee(nFeeDelta); }); diff --git a/test/sanitizer_suppressions/ubsan b/test/sanitizer_suppressions/ubsan index e6cfe5f81a..67ef512895 100644 --- a/test/sanitizer_suppressions/ubsan +++ b/test/sanitizer_suppressions/ubsan @@ -1,10 +1,10 @@ # -fsanitize=undefined suppressions # ================================= -# This would be `signed-integer-overflow:CTxMemPool::PrioritiseTransaction`, +# The suppressions would be `sanitize-type:ClassName::MethodName`, # however due to a bug in clang the symbolizer is disabled and thus no symbol # names can be used. # See https://github.com/google/sanitizers/issues/1364 -signed-integer-overflow:txmempool.cpp + # https://github.com/bitcoin/bitcoin/pull/21798#issuecomment-829180719 signed-integer-overflow:policy/feerate.cpp |