fix a deserialization overflow edge case

A specially-constructed BlockTransactionsRequest can overflow in
deserialization in a way that is currently harmless.

Github-Pull: #14685
Rebased-From: 6bed4b374d
This commit is contained in:
Kaz Wesley 2018-11-07 12:39:44 -08:00 committed by MarcoFalke
parent 94065024c7
commit 5331ad0506

View file

@ -52,12 +52,12 @@ public:
}
}
uint16_t offset = 0;
int32_t offset = 0;
for (size_t j = 0; j < indexes.size(); j++) {
if (uint64_t(indexes[j]) + uint64_t(offset) > std::numeric_limits<uint16_t>::max())
if (int32_t(indexes[j]) + offset > std::numeric_limits<uint16_t>::max())
throw std::ios_base::failure("indexes overflowed 16 bits");
indexes[j] = indexes[j] + offset;
offset = indexes[j] + 1;
offset = int32_t(indexes[j]) + 1;
}
} else {
for (size_t i = 0; i < indexes.size(); i++) {