Possible undefined behaviour in dealer::make_deal()

Question

Possible undefined behaviour in dealer::make_deal()

Closed this issue 2 years ago · 1 comments

In the Price.cpp, dealer::make_deal(), the following statements appear:
https://github.com/tonlabs/flex/blob/faa9d5bc41ea10325290e9d3fbf75fea8035d5bd/flex/Price.cpp#L49
https://github.com/tonlabs/flex/blob/faa9d5bc41ea10325290e9d3fbf75fea8035d5bd/flex/Price.cpp#L54

In case the product deal_amount * price_ overflows the uint128 type, the cost becomes an empty option<>.
In this case, dereferencing it in line 54 results in undefined behavior, as stated in the C++ reference:
https://en.cppreference.com/w/cpp/utility/optional/operator*
meaning that cost may become an arbitrary value.

Right now, the issue is non relevant, because make_dealer is used within the context of process_queue_impl, after the checks are made, but if the dealer is used in another context with checks forgotten, it will result in interesting surprises.

Note that in the PriceXchg.cpp, the corresponding check is present:
https://github.com/tonlabs/flex/blob/faa9d5bc41ea10325290e9d3fbf75fea8035d5bd/flex/PriceXchg.cpp#L56
https://github.com/tonlabs/flex/blob/faa9d5bc41ea10325290e9d3fbf75fea8035d5bd/flex/PriceXchg.cpp#L59

azhogin commented 2 years ago

Fixed.