From 3610aa71daeefbb20aeec6c7bea344a00618ed2e Mon Sep 17 00:00:00 2001
From: PiRK <pierrekn@gmail.com>
Date: Wed, 22 Dec 2021 17:10:13 +0100
Subject: [PATCH] Avoid signed integer overflow when loading a mempool.dat file
 with a malformed time field

Summary: This is a backport of [[https://github.com/bitcoin/bitcoin/pull/20372 | core#20372]]

Test Plan:
This causes an error before applying the commit, and it works after the change:
```
$ cmake .. -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DENABLE_SANITIZERS=undefined
$ xxd -p -r > mempool.dat-crash-1 <<EOF
0100000000000000000000000004000000000000000000000000ffffffff
ffffff7f00000000000000000000000000
EOF
$ cp mempool.dat-crash-1 /bitcoinddata/regtest/mempool.dat
$ ninja
$ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" src/bitcoind -regtest
```

```
../src/validation.cpp:5853:23: runtime error: signed integer overflow: 9223372036854775807 + 1209600 cannot be represented in type 'long'
    #0 0x55f14103ffcd in LoadMempool(Config const&, CTxMemPool&) /home/pierre/dev/bitcoin-abc/build_ubsan/../src/validation.cpp:5853:23
    #1 0x55f14103fb65 in CChainState::LoadMempool(Config const&, ArgsManager const&) /home/pierre/dev/bitcoin-abc/build_ubsan/../src/validation.cpp:4821:9
...
```

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D10725
---
 src/validation.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validation.cpp b/src/validation.cpp
index 8b4d30ba3f..a58350ceec 100644
--- a/src/validation.cpp
+++ b/src/validation.cpp
@@ -5850,7 +5850,7 @@ bool LoadMempool(const Config &config, CTxMemPool &pool) {
                 pool.PrioritiseTransaction(tx->GetId(), amountdelta);
             }
             TxValidationState state;
-            if (nTime + nExpiryTimeout > nNow) {
+            if (nTime > nNow - nExpiryTimeout) {
                 LOCK(cs_main);
                 AcceptToMemoryPoolWithTime(config, pool, state, tx, nTime,
                                            false /* bypass_limits */,