• Kirill Smelkov's avatar
    X neo/protogen: Catch length checks overflows on decode · c884bfd5
    Kirill Smelkov authored
    For example a list is encoded as
    
    	l        u32
    	[l]item  itemType
    
    on decode len is read from data stream and for rest of data len(data) is
    checked to be < l*sizeof(item).
    
    However since l is u32 and sizeof(item) is just number the result of `l
    * sizeof(item)` has also u32 type. However it could overflow e.g. for
    
    	l		= 0x20000000
    	sizeof(item)	= 8
    
    with the l*sizeof(item) being = u32(0)	(exactly zero) -> oops.
    
    Avoid the problem by doing all checking arithmetics with u64 ints.
    c884bfd5
zproto-marshal.go 94 KB