fix a deserialization overflow edge case

A specially-constructed BlockTransactionsRequest can overflow in
deserialization in a way that is currently harmless.

Github-Pull: #14685
Rebased-From: 6bed4b374d
This commit is contained in:
Kaz Wesley 2018-11-07 12:39:44 -08:00 committed by MarcoFalke
parent 94065024c7
commit 5331ad0506

View file

@ -52,12 +52,12 @@ public:
} }
} }
uint16_t offset = 0; int32_t offset = 0;
for (size_t j = 0; j < indexes.size(); j++) { for (size_t j = 0; j < indexes.size(); j++) {
if (uint64_t(indexes[j]) + uint64_t(offset) > std::numeric_limits<uint16_t>::max()) if (int32_t(indexes[j]) + offset > std::numeric_limits<uint16_t>::max())
throw std::ios_base::failure("indexes overflowed 16 bits"); throw std::ios_base::failure("indexes overflowed 16 bits");
indexes[j] = indexes[j] + offset; indexes[j] = indexes[j] + offset;
offset = indexes[j] + 1; offset = int32_t(indexes[j]) + 1;
} }
} else { } else {
for (size_t i = 0; i < indexes.size(); i++) { for (size_t i = 0; i < indexes.size(); i++) {