From 6bed4b374daf26233e96fa7863d4324a5bfa99c2 Mon Sep 17 00:00:00 2001 From: Kaz Wesley Date: Wed, 7 Nov 2018 12:39:44 -0800 Subject: [PATCH] fix a deserialization overflow edge case A specially-constructed BlockTransactionsRequest can overflow in deserialization in a way that is currently harmless. --- src/blockencodings.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/blockencodings.h b/src/blockencodings.h index fad1f56f547..4bfe538250c 100644 --- a/src/blockencodings.h +++ b/src/blockencodings.h @@ -52,12 +52,12 @@ public: } } - uint16_t offset = 0; + int32_t offset = 0; for (size_t j = 0; j < indexes.size(); j++) { - if (uint64_t(indexes[j]) + uint64_t(offset) > std::numeric_limits::max()) + if (int32_t(indexes[j]) + offset > std::numeric_limits::max()) throw std::ios_base::failure("indexes overflowed 16 bits"); indexes[j] = indexes[j] + offset; - offset = indexes[j] + 1; + offset = int32_t(indexes[j]) + 1; } } else { for (size_t i = 0; i < indexes.size(); i++) {