aboutsummaryrefslogtreecommitdiff
path: root/src/serialize.h
diff options
context:
space:
mode:
authorGregory Maxwell <greg@xiph.org>2017-02-06 02:52:27 +0000
committerGregory Maxwell <greg@xiph.org>2017-02-06 02:52:27 +0000
commit45f09618f22f0a59d872818f28fc2a938cc98311 (patch)
treefd1f094b1d3476bd1908413f5c94d96f33f1d349 /src/serialize.h
parent923dc447eaa8e017985b2afbbb12dd1283fbea0e (diff)
Prevent integer overflow in ReadVarInt.
We don't normally use ReadVarInt from untrusted inputs, but we might see this in the case of corruption. This is exposed in test_bitcoin_fuzzy.
Diffstat (limited to 'src/serialize.h')
-rw-r--r--src/serialize.h11
1 files changed, 9 insertions, 2 deletions
diff --git a/src/serialize.h b/src/serialize.h
index e4d72d2348..e82ddf2c5a 100644
--- a/src/serialize.h
+++ b/src/serialize.h
@@ -336,11 +336,18 @@ I ReadVarInt(Stream& is)
I n = 0;
while(true) {
unsigned char chData = ser_readdata8(is);
+ if (n > (std::numeric_limits<I>::max() >> 7)) {
+ throw std::ios_base::failure("ReadVarInt(): size too large");
+ }
n = (n << 7) | (chData & 0x7F);
- if (chData & 0x80)
+ if (chData & 0x80) {
+ if (n == std::numeric_limits<I>::max()) {
+ throw std::ios_base::failure("ReadVarInt(): size too large");
+ }
n++;
- else
+ } else {
return n;
+ }
}
}