From: Matt Joiner <anacrolix@gmail.com>
Date: Tue, 3 Jan 2023 14:25:26 +0000 (+1100)
Subject: Fix an issue parsing negative bencode string lengths
X-Git-Tag: v1.49.0~18
X-Git-Url: http://www.git.stargrave.org/?a=commitdiff_plain;h=8e0e36887fa2584dc1147ee31d1610500153d378;p=btrtrc.git

Fix an issue parsing negative bencode string lengths

See the fuzz test in dht/krpc.
---

diff --git a/bencode/decode.go b/bencode/decode.go
index e72a12d5..c171221f 100644
--- a/bencode/decode.go
+++ b/bencode/decode.go
@@ -191,7 +191,7 @@ func (d *Decoder) checkBufferedInt() error {
 	return nil
 }
 
-func (d *Decoder) parseStringLength() (uint64, error) {
+func (d *Decoder) parseStringLength() (int, error) {
 	// We should have already consumed the first byte of the length into the Decoder buf.
 	start := d.Offset - 1
 	d.readUntil(':')
@@ -201,13 +201,13 @@ func (d *Decoder) parseStringLength() (uint64, error) {
 	// Really the limit should be the uint size for the platform. But we can't pass in an allocator,
 	// or limit total memory use in Go, the best we might hope to do is limit the size of a single
 	// decoded value (by reading it in in-place and then operating on a view).
-	length, err := strconv.ParseUint(bytesAsString(d.buf.Bytes()), 10, 0)
+	length, err := strconv.ParseInt(bytesAsString(d.buf.Bytes()), 10, 0)
 	checkForIntParseError(err, start)
 	if int64(length) > d.getMaxStrLen() {
 		err = fmt.Errorf("parsed string length %v exceeds limit (%v)", length, DefaultDecodeMaxStrLen)
 	}
 	d.buf.Reset()
-	return length, err
+	return int(length), err
 }
 
 func (d *Decoder) parseString(v reflect.Value) error {