fix a deserialization overflow edge case

kazcw · kazcw · commit 6bed4b374daf · 2018-11-13T12:14:34.000-08:00
A specially-constructed BlockTransactionsRequest can overflow in
deserialization in a way that is currently harmless.
diff --git a/src/blockencodings.h b/src/blockencodings.h
@@ -52,12 +52,12 @@ class BlockTransactionsRequest {
                 }
             }
 
-            uint16_t offset = 0;
+            int32_t offset = 0;
             for (size_t j = 0; j < indexes.size(); j++) {
-                if (uint64_t(indexes[j]) + uint64_t(offset) > std::numeric_limits<uint16_t>::max())
+                if (int32_t(indexes[j]) + offset > std::numeric_limits<uint16_t>::max())
                     throw std::ios_base::failure("indexes overflowed 16 bits");
                 indexes[j] = indexes[j] + offset;
-                offset = indexes[j] + 1;
+                offset = int32_t(indexes[j]) + 1;
             }
         } else {
             for (size_t i = 0; i < indexes.size(); i++) {

Original file line number	Diff line number	Diff line change
`@@ -52,12 +52,12 @@ class BlockTransactionsRequest {`
`52`	`52`	`}`
`53`	`53`	`}`
`54`	`54`
`55`		`- uint16_t offset = 0;`
	`55`	`+ int32_t offset = 0;`
`56`	`56`	`for (size_t j = 0; j < indexes.size(); j++) {`
`57`		`- if (uint64_t(indexes[j]) + uint64_t(offset) > std::numeric_limits<uint16_t>::max())`
	`57`	`+ if (int32_t(indexes[j]) + offset > std::numeric_limits<uint16_t>::max())`
`58`	`58`	`throw std::ios_base::failure("indexes overflowed 16 bits");`
`59`	`59`	`indexes[j] = indexes[j] + offset;`
`60`		`- offset = indexes[j] + 1;`
	`60`	`+ offset = int32_t(indexes[j]) + 1;`
`61`	`61`	`}`
`62`	`62`	`} else {`
`63`	`63`	`for (size_t i = 0; i < indexes.size(); i++) {`