diff options
author | Felix Lange <fjl@twurst.com> | 2015-04-14 06:54:12 +0800 |
---|---|---|
committer | Felix Lange <fjl@twurst.com> | 2015-04-17 20:45:09 +0800 |
commit | 2750ec47b7e7ff864eaed72255581e11080907d7 (patch) | |
tree | df5ead8b41b4dbb49b990a59f4d41bd4422da787 /rlp/decode.go | |
parent | 56a48101dc3dd96587915a5d7882f9d46ecc6ae9 (diff) | |
download | go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.tar go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.tar.gz go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.tar.bz2 go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.tar.lz go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.tar.xz go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.tar.zst go-tangerine-2750ec47b7e7ff864eaed72255581e11080907d7.zip |
rlp: fix integer overflow in list element size validation
It is not safe to add anything to s.size.
Diffstat (limited to 'rlp/decode.go')
-rw-r--r-- | rlp/decode.go | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/rlp/decode.go b/rlp/decode.go index ca9252575..1e39054e6 100644 --- a/rlp/decode.go +++ b/rlp/decode.go @@ -751,7 +751,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) { tos = &s.stack[len(s.stack)-1] } if s.kind < 0 { - // don't read further if we're at the end of the + // Don't read further if we're at the end of the // innermost list. if tos != nil && tos.pos == tos.size { return 0, 0, EOL @@ -772,7 +772,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) { } } else { // Inside a list, check that the value doesn't overflow the list. - if tos.pos+s.size > tos.size { + if s.size > tos.size-tos.pos { return 0, 0, ErrElemTooLarge } } |