From ab63044318a107bcbc7317e19557ef32591d2db4 Mon Sep 17 00:00:00 2001 From: arkpar Date: Tue, 10 Oct 2017 12:39:13 +0200 Subject: [PATCH] Fixed potential exp len overflow --- ethcore/res/wasm-tests | 2 +- ethcore/src/builtin.rs | 23 ++++++++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ethcore/res/wasm-tests b/ethcore/res/wasm-tests index c8129ce2f36..9ed6304313f 160000 --- a/ethcore/res/wasm-tests +++ b/ethcore/res/wasm-tests @@ -1 +1 @@ -Subproject commit c8129ce2f36c26ed634eda786960978a28e28d0e +Subproject commit 9ed6304313fa949ed92aa0570fb2bc759fb6dc58 diff --git a/ethcore/src/builtin.rs b/ethcore/src/builtin.rs index 9d3290a7ca9..e6324d935ed 100644 --- a/ethcore/src/builtin.rs +++ b/ethcore/src/builtin.rs @@ -107,12 +107,15 @@ impl Pricer for ModexpPricer { } let base_len = base_len.low_u64(); - let exp_len = exp_len.low_u64(); let mod_len = mod_len.low_u64(); let m = max(mod_len, base_len); if m == 0 { return U256::zero(); } + if exp_len > max_len { + return U256::max_value(); + } + let exp_len = exp_len.low_u64(); // read fist 32-byte word of the exponent. let exp_low = if base_len + 96 >= input.len() as u64 { U256::zero() } else { let mut buf = [0; 32]; @@ -707,6 +710,24 @@ mod tests { native: ethereum_builtin("modexp"), activate_at: 0, }; + + // test for potential exp len overflow + { + let input = FromHex::from_hex("\ + 00000000000000000000000000000000000000000000000000000000000000ff\ + 2a1e530000000000000000000000000000000000000000000000000000000000\ + 0000000000000000000000000000000000000000000000000000000000000000" + ).unwrap(); + + let mut output = vec![0u8; 32]; + let expected = FromHex::from_hex("0000000000000000000000000000000000000000000000000000000000000000").unwrap(); + let expected_cost = U256::max_value(); + + f.execute(&input[..], &mut BytesRef::Fixed(&mut output[..])).expect("Builtin should fail"); + assert_eq!(output, expected); + assert_eq!(f.cost(&input[..]), expected_cost.into()); + } + // fermat's little theorem example. { let input = FromHex::from_hex("\