diff options
author | Gregory Maxwell <greg@xiph.org> | 2017-02-06 02:52:27 +0000 |
---|---|---|
committer | Gregory Maxwell <greg@xiph.org> | 2017-02-06 02:52:27 +0000 |
commit | 45f09618f22f0a59d872818f28fc2a938cc98311 (patch) | |
tree | fd1f094b1d3476bd1908413f5c94d96f33f1d349 /src/serialize.h | |
parent | 923dc447eaa8e017985b2afbbb12dd1283fbea0e (diff) |
Prevent integer overflow in ReadVarInt.
We don't normally use ReadVarInt from untrusted inputs, but we might
see this in the case of corruption.
This is exposed in test_bitcoin_fuzzy.
Diffstat (limited to 'src/serialize.h')
-rw-r--r-- | src/serialize.h | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/serialize.h b/src/serialize.h index e4d72d2348..e82ddf2c5a 100644 --- a/src/serialize.h +++ b/src/serialize.h @@ -336,11 +336,18 @@ I ReadVarInt(Stream& is) I n = 0; while(true) { unsigned char chData = ser_readdata8(is); + if (n > (std::numeric_limits<I>::max() >> 7)) { + throw std::ios_base::failure("ReadVarInt(): size too large"); + } n = (n << 7) | (chData & 0x7F); - if (chData & 0x80) + if (chData & 0x80) { + if (n == std::numeric_limits<I>::max()) { + throw std::ios_base::failure("ReadVarInt(): size too large"); + } n++; - else + } else { return n; + } } } |