Skip to content

Commit a224491

Browse files
SpyCheeseSpyCheese
authored
Fix error processing in StaticBagOfCellsDb (#1481)
1 parent 710514b commit a224491

File tree

1 file changed

+33
-13
lines changed

1 file changed

+33
-13
lines changed

crypto/vm/db/StaticBagOfCellsDb.cpp

Lines changed: 33 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -309,7 +309,9 @@ class StaticBagOfCellsDbLazyImpl : public StaticBagOfCellsDb {
309309
return 0;
310310
}
311311
td::Slice offset_view;
312-
CHECK(info_.offset_byte_size <= 8);
312+
if (info_.offset_byte_size > 8) {
313+
return td::Status::Error(PSTRING() << "bag-of-cell error: invalid offset_byte_size " << info_.offset_byte_size);
314+
}
313315
char arr[8];
314316
td::RwMutex::ReadLock guard;
315317
if (info_.has_index) {
@@ -321,19 +323,25 @@ class StaticBagOfCellsDbLazyImpl : public StaticBagOfCellsDb {
321323
offset_view = td::Slice(index_data_).substr((td::int64)idx * info_.offset_byte_size, info_.offset_byte_size);
322324
}
323325

324-
CHECK(offset_view.size() == (size_t)info_.offset_byte_size);
326+
if (offset_view.size() != (size_t)info_.offset_byte_size) {
327+
return td::Status::Error(PSTRING() << "bag-of-cell error: invalid offset view size" << offset_view.size());
328+
}
325329
return td::narrow_cast<std::size_t>(info_.read_offset(offset_view.ubegin()));
326330
}
327331

328332
td::Result<td::int64> load_root_idx(int root_i) {
329-
CHECK(root_i >= 0 && root_i < info_.root_count);
333+
if (root_i < 0 || root_i >= info_.root_count) {
334+
return td::Status::Error(PSTRING() << "bag-of-cell error: invalid root index " << root_i);
335+
}
330336
if (!info_.has_roots) {
331337
return 0;
332338
}
333339
char arr[8];
334340
TRY_RESULT(idx_view, data_.view(td::MutableSlice(arr, info_.ref_byte_size),
335341
info_.roots_offset + (td::int64)root_i * info_.ref_byte_size));
336-
CHECK(idx_view.size() == (size_t)info_.ref_byte_size);
342+
if (idx_view.size() != (size_t)info_.ref_byte_size) {
343+
return td::Status::Error(PSTRING() << "bag-of-cell error: invalid idx_view size" << idx_view.size());
344+
}
337345
return info_.read_ref(idx_view.ubegin());
338346
}
339347

@@ -343,8 +351,9 @@ class StaticBagOfCellsDbLazyImpl : public StaticBagOfCellsDb {
343351
bool should_cache;
344352
};
345353
td::Result<CellLocation> get_cell_location(int idx) {
346-
CHECK(idx >= 0);
347-
CHECK(idx < info_.cell_count);
354+
if (idx < 0 || idx >= info_.cell_count) {
355+
return td::Status::Error(PSTRING() << "bag-of-cell error: invalid cell index " << idx);
356+
}
348357
TRY_STATUS(preload_index(idx));
349358
TRY_RESULT(from, load_idx_offset(idx - 1));
350359
TRY_RESULT(till, load_idx_offset(idx));
@@ -357,10 +366,15 @@ class StaticBagOfCellsDbLazyImpl : public StaticBagOfCellsDb {
357366
res.should_cache = res.end % 2 == 1;
358367
res.end /= 2;
359368
}
360-
CHECK(std::numeric_limits<std::size_t>::max() - res.begin >= info_.data_offset);
361-
CHECK(std::numeric_limits<std::size_t>::max() - res.end >= info_.data_offset);
369+
if (std::numeric_limits<std::size_t>::max() - res.begin < info_.data_offset ||
370+
std::numeric_limits<std::size_t>::max() - res.end < info_.data_offset) {
371+
return td::Status::Error(PSTRING() << "bag-of-cell error: invalid cell location (1) " << res.begin << ":" << res.end);
372+
}
362373
res.begin += static_cast<std::size_t>(info_.data_offset);
363374
res.end += static_cast<std::size_t>(info_.data_offset);
375+
if (res.begin > res.end) {
376+
return td::Status::Error(PSTRING() << "bag-of-cell error: invalid cell location (2) " << res.begin << ":" << res.end);
377+
}
364378
return res;
365379
}
366380

@@ -396,8 +410,6 @@ class StaticBagOfCellsDbLazyImpl : public StaticBagOfCellsDb {
396410
if (info_.has_index) {
397411
return td::Status::OK();
398412
}
399-
400-
CHECK(idx < info_.cell_count);
401413
if (index_i_.load(std::memory_order_relaxed) > idx) {
402414
return td::Status::OK();
403415
}
@@ -407,12 +419,17 @@ class StaticBagOfCellsDbLazyImpl : public StaticBagOfCellsDb {
407419
auto buf_slice = td::MutableSlice(buf.data(), buf.size());
408420
for (; index_i_ <= idx; index_i_++) {
409421
auto offset = td::narrow_cast<size_t>(info_.data_offset + index_offset_);
410-
CHECK(data_.size() >= offset);
422+
if (data_.size() < offset) {
423+
return td::Status::Error(PSLICE() << "bag-of-cells error: invalid offset " << offset
424+
<< " (size=" << data_.size() << ")");
425+
}
411426
TRY_RESULT(cell, data_.view(buf_slice.copy().truncate(data_.size() - offset), offset));
412427
CellSerializationInfo cell_info;
413428
TRY_STATUS(cell_info.init(cell, info_.ref_byte_size));
414429
index_offset_ += cell_info.end_offset;
415-
LOG_CHECK((unsigned)info_.offset_byte_size <= 8) << info_.offset_byte_size;
430+
if ((unsigned)info_.offset_byte_size > 8) {
431+
return td::Status::Error(PSTRING() << "bag-of-cell error: invalid offset_byte_size " << info_.offset_byte_size);
432+
}
416433
td::uint8 tmp[8];
417434
info_.write_offset(tmp, index_offset_);
418435
auto guard = index_data_rw_mutex_.lock_write();
@@ -488,7 +505,10 @@ class StaticBagOfCellsDbLazyImpl : public StaticBagOfCellsDb {
488505
bool should_cache) {
489506
deserialize_cell_cnt_.add(1);
490507
Ref<Cell> refs[4];
491-
CHECK(cell_info.refs_cnt <= 4);
508+
if (cell_info.refs_cnt > 4) {
509+
return td::Status::Error(PSLICE() << "invalid bag-of-cells cell #" << idx << " has " << cell_info.refs_cnt
510+
<< " refs");
511+
}
492512
auto* ref_ptr = cell_slice.ubegin() + cell_info.refs_offset;
493513
for (int k = 0; k < cell_info.refs_cnt; k++, ref_ptr += info_.ref_byte_size) {
494514
int ref_idx = td::narrow_cast<int>(info_.read_ref(ref_ptr));

0 commit comments

Comments
 (0)