From 2750ec47b7e7ff864eaed72255581e11080907d7 Mon Sep 17 00:00:00 2001
From: Felix Lange <fjl@twurst.com>
Date: Tue, 14 Apr 2015 00:54:12 +0200
Subject: rlp: fix integer overflow in list element size validation

It is not safe to add anything to s.size.
---
 rlp/decode_test.go | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'rlp/decode_test.go')

diff --git a/rlp/decode_test.go b/rlp/decode_test.go
index 6b37ab0ad..a64bfe3fd 100644
--- a/rlp/decode_test.go
+++ b/rlp/decode_test.go
@@ -112,6 +112,9 @@ func TestStreamErrors(t *testing.T) {
 		{"BFFFFFFFFFFFFFFFFFFF", calls{"Bytes"}, nil, ErrValueTooLarge},
 		{"C801", calls{"List"}, nil, ErrValueTooLarge},
 
+		// Test for list element size check overflow.
+		{"CD04040404FFFFFFFFFFFFFFFFFF0303", calls{"List", "Uint", "Uint", "Uint", "Uint", "List"}, nil, ErrElemTooLarge},
+
 		// Test for input limit overflow. Since we are counting the limit
 		// down toward zero in Stream.remaining, reading too far can overflow
 		// remaining to a large value, effectively disabling the limit.
-- 
cgit v1.2.3