diff options
| author | Kaz Wesley <kaz@lambdaverse.org> | 2018-11-07 12:39:44 -0800 |
|---|---|---|
| committer | MarcoFalke <falke.marco@gmail.com> | 2018-11-28 15:35:05 -0500 |
| commit | 5331ad0506fa1e13a70613309532588b2cc74bb5 (patch) | |
| tree | f4ce9f62d0548d2a50c13e4f3b4cc97a33758b1b /src/blockencodings.h | |
| parent | 94065024c7ad049a3750102d8cdccf9d1ac73ee4 (diff) | |
fix a deserialization overflow edge case
A specially-constructed BlockTransactionsRequest can overflow in
deserialization in a way that is currently harmless.
Github-Pull: #14685
Rebased-From: 6bed4b374daf26233e96fa7863d4324a5bfa99c2
Diffstat (limited to 'src/blockencodings.h')
| -rw-r--r-- | src/blockencodings.h | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/blockencodings.h b/src/blockencodings.h index fad1f56f54..4bfe538250 100644 --- a/src/blockencodings.h +++ b/src/blockencodings.h @@ -52,12 +52,12 @@ public: } } - uint16_t offset = 0; + int32_t offset = 0; for (size_t j = 0; j < indexes.size(); j++) { - if (uint64_t(indexes[j]) + uint64_t(offset) > std::numeric_limits<uint16_t>::max()) + if (int32_t(indexes[j]) + offset > std::numeric_limits<uint16_t>::max()) throw std::ios_base::failure("indexes overflowed 16 bits"); indexes[j] = indexes[j] + offset; - offset = indexes[j] + 1; + offset = int32_t(indexes[j]) + 1; } } else { for (size_t i = 0; i < indexes.size(); i++) { |