aboutsummaryrefslogtreecommitdiffstats
path: root/rlp
diff options
context:
space:
mode:
authorFelix Lange <fjl@twurst.com>2015-04-14 06:54:12 +0800
committerFelix Lange <fjl@twurst.com>2015-04-17 20:45:09 +0800
commit2750ec47b7e7ff864eaed72255581e11080907d7 (patch)
treedf5ead8b41b4dbb49b990a59f4d41bd4422da787 /rlp
parent56a48101dc3dd96587915a5d7882f9d46ecc6ae9 (diff)
downloadgo-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.tar.gz
go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.tar.zst
go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.zip
rlp: fix integer overflow in list element size validation
It is not safe to add anything to s.size.
Diffstat (limited to 'rlp')
-rw-r--r--rlp/decode.go4
-rw-r--r--rlp/decode_test.go3
2 files changed, 5 insertions, 2 deletions
diff --git a/rlp/decode.go b/rlp/decode.go
index ca9252575..1e39054e6 100644
--- a/rlp/decode.go
+++ b/rlp/decode.go
@@ -751,7 +751,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) {
tos = &s.stack[len(s.stack)-1]
}
if s.kind < 0 {
- // don't read further if we're at the end of the
+ // Don't read further if we're at the end of the
// innermost list.
if tos != nil && tos.pos == tos.size {
return 0, 0, EOL
@@ -772,7 +772,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) {
}
} else {
// Inside a list, check that the value doesn't overflow the list.
- if tos.pos+s.size > tos.size {
+ if s.size > tos.size-tos.pos {
return 0, 0, ErrElemTooLarge
}
}
diff --git a/rlp/decode_test.go b/rlp/decode_test.go
index 6b37ab0ad..a64bfe3fd 100644
--- a/rlp/decode_test.go
+++ b/rlp/decode_test.go
@@ -112,6 +112,9 @@ func TestStreamErrors(t *testing.T) {
{"BFFFFFFFFFFFFFFFFFFF", calls{"Bytes"}, nil, ErrValueTooLarge},
{"C801", calls{"List"}, nil, ErrValueTooLarge},
+ // Test for list element size check overflow.
+ {"CD04040404FFFFFFFFFFFFFFFFFF0303", calls{"List", "Uint", "Uint", "Uint", "Uint", "List"}, nil, ErrElemTooLarge},
+
// Test for input limit overflow. Since we are counting the limit
// down toward zero in Stream.remaining, reading too far can overflow
// remaining to a large value, effectively disabling the limit.