mirror of https://github.com/status-im/op-geth.git
rlp: fix integer overflow in list element size validation
It is not safe to add anything to s.size.
This commit is contained in:
parent
56a48101dc
commit
2750ec47b7
|
@ -751,7 +751,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) {
|
||||||
tos = &s.stack[len(s.stack)-1]
|
tos = &s.stack[len(s.stack)-1]
|
||||||
}
|
}
|
||||||
if s.kind < 0 {
|
if s.kind < 0 {
|
||||||
// don't read further if we're at the end of the
|
// Don't read further if we're at the end of the
|
||||||
// innermost list.
|
// innermost list.
|
||||||
if tos != nil && tos.pos == tos.size {
|
if tos != nil && tos.pos == tos.size {
|
||||||
return 0, 0, EOL
|
return 0, 0, EOL
|
||||||
|
@ -772,7 +772,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) {
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// Inside a list, check that the value doesn't overflow the list.
|
// Inside a list, check that the value doesn't overflow the list.
|
||||||
if tos.pos+s.size > tos.size {
|
if s.size > tos.size-tos.pos {
|
||||||
return 0, 0, ErrElemTooLarge
|
return 0, 0, ErrElemTooLarge
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -112,6 +112,9 @@ func TestStreamErrors(t *testing.T) {
|
||||||
{"BFFFFFFFFFFFFFFFFFFF", calls{"Bytes"}, nil, ErrValueTooLarge},
|
{"BFFFFFFFFFFFFFFFFFFF", calls{"Bytes"}, nil, ErrValueTooLarge},
|
||||||
{"C801", calls{"List"}, nil, ErrValueTooLarge},
|
{"C801", calls{"List"}, nil, ErrValueTooLarge},
|
||||||
|
|
||||||
|
// Test for list element size check overflow.
|
||||||
|
{"CD04040404FFFFFFFFFFFFFFFFFF0303", calls{"List", "Uint", "Uint", "Uint", "Uint", "List"}, nil, ErrElemTooLarge},
|
||||||
|
|
||||||
// Test for input limit overflow. Since we are counting the limit
|
// Test for input limit overflow. Since we are counting the limit
|
||||||
// down toward zero in Stream.remaining, reading too far can overflow
|
// down toward zero in Stream.remaining, reading too far can overflow
|
||||||
// remaining to a large value, effectively disabling the limit.
|
// remaining to a large value, effectively disabling the limit.
|
||||||
|
|
Loading…
Reference in New Issue