it cause buffer overflow because amount_str can be 39 length
Closed this issue · 7 comments
ledger-app-aergo/src/currency.h
Line 80 in 8ad676a
Overflow here in the tmp
variable, right?
ledger-app-aergo/src/currency.h
Lines 4 to 6 in 8ad676a
I will fix it.
Thanks.
You can also send PRs if you want.
Well, I checked and it will not overflow because this function is receiving a value in binary big endian format. It is not converted to string yet.
Could you check?
at line 6 when length is 38 then os_memmove (tmp -6, data, 38) so it can memory violation
This function is receiving the amount encoded as variable size big endian integer from protobuf and will convert it to an uint256 first and then to a string.
The encoded amount cannot be so big (38 bytes). It is only this size when in string format, right?
Note that the same function is also used on the Ethereum app:
ledger-app-aergo/src/transaction.h
Line 190 in e8cf03e
according above line, i think amount length to 40. but protobuf limit size to uint256 then ok
Oh, right! Maybe we can fix this line. I will verify the limits. Thanks
Fixed. Currently on the develop
branch.
It could indeed generate some problems.