Prevent integer overflow in ReadVarInt.

We don't normally use ReadVarInt from untrusted inputs, but we might see this in the case of corruption. This is exposed in test_bitcoin_fuzzy.
author: Gregory Maxwell <greg@xiph.org> 2017-02-06 02:52:27 +0000
committer: Gregory Maxwell <greg@xiph.org> 2017-02-06 02:52:27 +0000
commit: 45f09618f22f0a59d872818f28fc2a938cc98311 (patch)
tree: fd1f094b1d3476bd1908413f5c94d96f33f1d349 /src/serialize.h
parent: 923dc447eaa8e017985b2afbbb12dd1283fbea0e (diff)
download: bitcoin-45f09618f22f0a59d872818f28fc2a938cc98311.tar.xz
1 files changed, 9 insertions, 2 deletions
diff --git a/src/serialize.h b/src/serialize.h
index e4d72d2348..e82ddf2c5a 100644
--- a/src/serialize.h
+++ b/src/serialize.h
@@ -336,11 +336,18 @@ I ReadVarInt(Stream& is)
     I n = 0;
     while(true) {
         unsigned char chData = ser_readdata8(is);
+        if (n > (std::numeric_limits<I>::max() >> 7)) {
+           throw std::ios_base::failure("ReadVarInt(): size too large");
+        }
         n = (n << 7) | (chData & 0x7F);
-        if (chData & 0x80)
+        if (chData & 0x80) {
+            if (n == std::numeric_limits<I>::max()) {
+                throw std::ios_base::failure("ReadVarInt(): size too large");
+            }
             n++;
-        else
+        } else {
             return n;
+        }
     }
 }
author	Gregory Maxwell <greg@xiph.org>	2017-02-06 02:52:27 +0000
committer	Gregory Maxwell <greg@xiph.org>	2017-02-06 02:52:27 +0000
commit	45f09618f22f0a59d872818f28fc2a938cc98311 (patch)
tree	fd1f094b1d3476bd1908413f5c94d96f33f1d349 /src/serialize.h
parent	923dc447eaa8e017985b2afbbb12dd1283fbea0e (diff)
download	bitcoin-45f09618f22f0a59d872818f28fc2a938cc98311.tar.xz