diff options
author | Kaz Wesley <kaz@lambdaverse.org> | 2018-11-07 12:39:44 -0800 |
---|---|---|
committer | Kaz Wesley <kaz@lambdaverse.org> | 2018-11-13 12:14:34 -0800 |
commit | 6bed4b374daf26233e96fa7863d4324a5bfa99c2 (patch) | |
tree | 36b4b7ce50c50ce97b931c0cea37c25e1d09a0c8 /src/blockencodings.h | |
parent | 051faf7e9d4e32142f95f7adb31d2f53f656cb66 (diff) |
fix a deserialization overflow edge case
A specially-constructed BlockTransactionsRequest can overflow in
deserialization in a way that is currently harmless.
Diffstat (limited to 'src/blockencodings.h')
-rw-r--r-- | src/blockencodings.h | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/blockencodings.h b/src/blockencodings.h index fad1f56f54..4bfe538250 100644 --- a/src/blockencodings.h +++ b/src/blockencodings.h @@ -52,12 +52,12 @@ public: } } - uint16_t offset = 0; + int32_t offset = 0; for (size_t j = 0; j < indexes.size(); j++) { - if (uint64_t(indexes[j]) + uint64_t(offset) > std::numeric_limits<uint16_t>::max()) + if (int32_t(indexes[j]) + offset > std::numeric_limits<uint16_t>::max()) throw std::ios_base::failure("indexes overflowed 16 bits"); indexes[j] = indexes[j] + offset; - offset = indexes[j] + 1; + offset = int32_t(indexes[j]) + 1; } } else { for (size_t i = 0; i < indexes.size(); i++) { |