diff options
author | Wladimir J. van der Laan <laanwj@gmail.com> | 2018-03-19 17:25:53 +0100 |
---|---|---|
committer | Wladimir J. van der Laan <laanwj@gmail.com> | 2018-03-19 17:26:43 +0100 |
commit | ee7b67e2784a5f08dffa6b05cee0e64c53a693c8 (patch) | |
tree | 9c4df5c9440f9dd5d787e9f1af2c5703c0f62d96 /src/protocol.h | |
parent | ebdf84c9601e7a3ccf66974b5efba67f6d064456 (diff) | |
parent | 499d95e278f34790660a2b9baf5525e0def1485a (diff) |
Merge #9753: Add static_assert to prevent VARINT(<signed value>)
499d95e27 Add static_assert to prevent VARINT(<signed value>) (Russell Yanofsky)
Pull request description:
Using VARINT with signed types is dangerous because negative values will appear to serialize correctly, but then deserialize as positive values mod 128.
This commit changes the VARINT macro to trigger a compile error by default if called with an signed value, and it updates existing broken uses of VARINT to pass a special flag that lets them keep working with no changes in behavior.
There is some discussion about this issue here: https://github.com/bitcoin/bitcoin/pull/9693#issuecomment-278701473. I think another good change along these lines would be to make `GetSizeOfVarInt` and `WriteVarInt` throw exceptions if they are passed numbers less than 0 to serialize. But unlike this change, that would be a change in runtime behavior, and need more consideration.
Tree-SHA512: 082c65598cfac6dc1da042bdb47dbc9d5d789fc849fe52921cc238578588f4e5ff976c8b4b2ce42cb75290eb14f3b42ea76e26202c223c5b2aa63ef45c2ea3cc
Diffstat (limited to 'src/protocol.h')
0 files changed, 0 insertions, 0 deletions