From 2750ec47b7e7ff864eaed72255581e11080907d7 Mon Sep 17 00:00:00 2001
From: Felix Lange <fjl@twurst.com>
Date: Tue, 14 Apr 2015 00:54:12 +0200
Subject: rlp: fix integer overflow in list element size validation

It is not safe to add anything to s.size.
---
 rlp/decode.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'rlp/decode.go')

diff --git a/rlp/decode.go b/rlp/decode.go
index ca9252575..1e39054e6 100644
--- a/rlp/decode.go
+++ b/rlp/decode.go
@@ -751,7 +751,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) {
 		tos = &s.stack[len(s.stack)-1]
 	}
 	if s.kind < 0 {
-		// don't read further if we're at the end of the
+		// Don't read further if we're at the end of the
 		// innermost list.
 		if tos != nil && tos.pos == tos.size {
 			return 0, 0, EOL
@@ -772,7 +772,7 @@ func (s *Stream) Kind() (kind Kind, size uint64, err error) {
 		}
 	} else {
 		// Inside a list, check that the value doesn't overflow the list.
-		if tos.pos+s.size > tos.size {
+		if s.size > tos.size-tos.pos {
 			return 0, 0, ErrElemTooLarge
 		}
 	}
-- 
cgit v1.2.3