Avoid signed integer overflow when loading a mempool.dat file with a …

…malformed time field Summary: This is a backport of [[bitcoin/bitcoin#20372 | core#20372]] Test Plan: This causes an error before applying the commit, and it works after the change: ``` $ cmake .. -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DENABLE_SANITIZERS=undefined $ xxd -p -r > mempool.dat-crash-1 <<EOF 0100000000000000000000000004000000000000000000000000ffffffff ffffff7f00000000000000000000000000 EOF $ cp mempool.dat-crash-1 /bitcoinddata/regtest/mempool.dat $ ninja $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" src/bitcoind -regtest ``` ``` ../src/validation.cpp:5853:23: runtime error: signed integer overflow: 9223372036854775807 + 1209600 cannot be represented in type 'long' #0 0x55f14103ffcd in LoadMempool(Config const&, CTxMemPool&) /home/pierre/dev/bitcoin-abc/build_ubsan/../src/validation.cpp:5853:23 #1 0x55f14103fb65 in CChainState::LoadMempool(Config const&, ArgsManager const&) /home/pierre/dev/bitcoin-abc/build_ubsan/../src/validation.cpp:4821:9 ... ``` Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D10725
Bitcoin-ABC · Dec 23, 2021 · 3610aa7 · 3610aa7
1 parent fb6c0e6
commit 3610aa7
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/validation.cpp b/src/validation.cpp
@@ -5850,7 +5850,7 @@ bool LoadMempool(const Config &config, CTxMemPool &pool) {
                 pool.PrioritiseTransaction(tx->GetId(), amountdelta);
             }
             TxValidationState state;
-            if (nTime + nExpiryTimeout > nNow) {
+            if (nTime > nNow - nExpiryTimeout) {
                 LOCK(cs_main);
                 AcceptToMemoryPoolWithTime(config, pool, state, tx, nTime,
                                            false /* bypass_limits */,