python-bitcoinlib icon indicating copy to clipboard operation
python-bitcoinlib copied to clipboard

Published 20 hours ago verified publisher icon petertodd

enforce canonical encoding and MAX_SIZE in VarIntSerializer

Open dgpv opened this issue 6 years ago • 3 comments

core.serialize.VarIntSerializer now checks for value bounds of deserialized compact size integer. If it enconters non-canonical encoding, or the size bigger than MAX_SIZE (0x02000000) it throws DeserializationValueBoundsError

I just noticed that VarIntSerializer.stream_deserialize() is not in line with current Core's ReadCompactSize(). It does not check for MAX_SIZE (the check that was there from the start, I think), and it also does not check for the encodings to be canonical (if the encoding is of 3-byte length, it should not contain value less than 0xFD, etc) - the constraint added in 2013.

This patch adds the checks and the new exception, DeserializationValueBoundsError.

Tests now do not try to validate non-canonical encodings, but check that non-canoncial encodings throw the appropriate exception.

dgpv avatar Oct 22 '19 12:10 dgpv

the use of int() may be a problem on python2, but as far as I remember, python-bitcoinlib is announced to be python3-only from the next release.

dgpv avatar Oct 22 '19 12:10 dgpv

Yeah, writing py3-only code is fine now.

Is there anything else you'd do if this pull-req was py3-only?

petertodd avatar Oct 31 '19 17:10 petertodd

Is there anything else you'd do if this pull-req was py3-only?

No, this code was ported from python-bitcointx, which is py3-only from the start.

dgpv avatar Oct 31 '19 17:10 dgpv