diff options
| author | Felix Lange <fjl@twurst.com> | 2015-04-14 06:54:12 +0800 |
|---|---|---|
| committer | Felix Lange <fjl@twurst.com> | 2015-04-17 20:45:09 +0800 |
| commit | 2750ec47b7e7ff864eaed72255581e11080907d7 (patch) | |
| tree | df5ead8b41b4dbb49b990a59f4d41bd4422da787 /rlp/decode.go | |
| parent | 56a48101dc3dd96587915a5d7882f9d46ecc6ae9 (diff) | |
| download | dexon-2750ec47b7e7ff864eaed72255581e11080907d7.tar dexon-2750ec47b7e7ff864eaed72255581e11080907d7.tar.gz dexon-2750ec47b7e7ff864eaed72255581e11080907d7.tar.bz2 dexon-2750ec47b7e7ff864eaed72255581e11080907d7.tar.lz dexon-2750ec47b7e7ff864eaed72255581e11080907d7.tar.xz dexon-2750ec47b7e7ff864eaed72255581e11080907d7.tar.zst dexon-2750ec47b7e7ff864eaed72255581e11080907d7.zip | |
rlp: fix integer overflow in list element size validation
It is not safe to add anything to s.size.
Diffstat (limited to 'rlp/decode.go')
| -rw-r--r-- | rlp/decode.go | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/rlp/decode.go b/rlp/decode.go index ca9252575..1e39054e6 100644 --- a/rlp/decode.go +++ b/rlp/decode.go @@ -751,7 +751,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) { tos = &s.stack[len(s.stack)-1] } if s.kind < 0 { - // don't read further if we're at the end of the + // Don't read further if we're at the end of the // innermost list. if tos != nil && tos.pos == tos.size { return 0, 0, EOL @@ -772,7 +772,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) { } } else { // Inside a list, check that the value doesn't overflow the list. - if tos.pos+s.size > tos.size { + if s.size > tos.size-tos.pos { return 0, 0, ErrElemTooLarge } } |