From 2750ec47b7e7ff864eaed72255581e11080907d7 Mon Sep 17 00:00:00 2001 From: Felix Lange Date: Tue, 14 Apr 2015 00:54:12 +0200 Subject: [PATCH] rlp: fix integer overflow in list element size validation It is not safe to add anything to s.size. --- rlp/decode.go | 4 ++-- rlp/decode_test.go | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/rlp/decode.go b/rlp/decode.go index ca9252575..1e39054e6 100644 --- a/rlp/decode.go +++ b/rlp/decode.go @@ -751,7 +751,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) { tos = &s.stack[len(s.stack)-1] } if s.kind < 0 { - // don't read further if we're at the end of the + // Don't read further if we're at the end of the // innermost list. if tos != nil && tos.pos == tos.size { return 0, 0, EOL @@ -772,7 +772,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) { } } else { // Inside a list, check that the value doesn't overflow the list. - if tos.pos+s.size > tos.size { + if s.size > tos.size-tos.pos { return 0, 0, ErrElemTooLarge } } diff --git a/rlp/decode_test.go b/rlp/decode_test.go index 6b37ab0ad..a64bfe3fd 100644 --- a/rlp/decode_test.go +++ b/rlp/decode_test.go @@ -112,6 +112,9 @@ func TestStreamErrors(t *testing.T) { {"BFFFFFFFFFFFFFFFFFFF", calls{"Bytes"}, nil, ErrValueTooLarge}, {"C801", calls{"List"}, nil, ErrValueTooLarge}, + // Test for list element size check overflow. + {"CD04040404FFFFFFFFFFFFFFFFFF0303", calls{"List", "Uint", "Uint", "Uint", "Uint", "List"}, nil, ErrElemTooLarge}, + // Test for input limit overflow. Since we are counting the limit // down toward zero in Stream.remaining, reading too far can overflow // remaining to a large value, effectively disabling the limit.