X neo/protogen: Catch length checks overflows on decode
For example a list is encoded as l u32 [l]item itemType on decode len is read from data stream and for rest of data len(data) is checked to be < l*sizeof(item). However since l is u32 and sizeof(item) is just number the result of `l * sizeof(item)` has also u32 type. However it could overflow e.g. for l = 0x20000000 sizeof(item) = 8 with the l*sizeof(item) being = u32(0) (exactly zero) -> oops. Avoid the problem by doing all checking arithmetics with u64 ints.
Showing
Please register or sign in to comment