Prevent integer overflow in ReadVarInt.

We don't normally use ReadVarInt from untrusted inputs, but we might
 see this in the case of corruption.

This is exposed in test_bitcoin_fuzzy.
pull/365/head
Gregory Maxwell 8 years ago
parent 923dc447ea
commit 45f09618f2

@ -336,11 +336,18 @@ I ReadVarInt(Stream& is)
I n = 0; I n = 0;
while(true) { while(true) {
unsigned char chData = ser_readdata8(is); unsigned char chData = ser_readdata8(is);
if (n > (std::numeric_limits<I>::max() >> 7)) {
throw std::ios_base::failure("ReadVarInt(): size too large");
}
n = (n << 7) | (chData & 0x7F); n = (n << 7) | (chData & 0x7F);
if (chData & 0x80) if (chData & 0x80) {
if (n == std::numeric_limits<I>::max()) {
throw std::ios_base::failure("ReadVarInt(): size too large");
}
n++; n++;
else } else {
return n; return n;
}
} }
} }

Loading…
Cancel
Save