Merge #149: Fix potential buffer overflow in Bech32

jonasschnelli · jonasschnelli · commit 53064bd8c9b2 · 2018-11-04T14:18:35.000+01:00
eeed835 Fix potential buffer overflow in Bech32 Reported by Christian Reitter and Dr. Jochen Hoenicke (Jonas Schnelli) Pull request description: Reported by Christian Reitter and Dr. Jochen Hoenicke Tree-SHA512: b8050a84f04f7f23a7889ce73d9c9d71b1406e34333a2d869a5c3b20f99a71ddf898e70094fd96d8ab4ed6e682d1aae394088e39f8fd0278e282caf5c2398a46
diff --git a/src/segwit_addr.c b/src/segwit_addr.c
@@ -97,7 +97,7 @@ int bech32_decode(char* hrp, uint8_t *data, size_t *data_len, const char *input)
         ++(*data_len);
     }
     hrp_len = input_len - (1 + *data_len);
-    if (hrp_len < 1 || *data_len < 6) {
+    if (1 + *data_len >= input_len || *data_len < 6) {
         return 0;
     }
     *(data_len) -= 6;

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ int bech32_decode(char* hrp, uint8_t data, size_t data_len, const char *input)`
`97`	`97`	`++(*data_len);`
`98`	`98`	`}`
`99`	`99`	`hrp_len = input_len - (1 + *data_len);`
`100`		`- if (hrp_len < 1 \|\| *data_len < 6) {`
	`100`	`+ if (1 + data_len >= input_len \|\| data_len < 6) {`
`101`	`101`	`return 0;`
`102`	`102`	`}`
`103`	`103`	`*(data_len) -= 6;`