use a more restrictive limit on number of pieces allowed in a torrent

2019-04-02 11:01:05 +02:00 · 2019-04-02 11:01:05 +02:00 · 5b021a849e
parent 33463a3ef5
commit 5b021a849e
2 changed files with 9 additions and 1 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+	* tighten up various input validation checks
 	* fix create_torrent python binding
 	* update symlinks to conform to BEP 47
 	* fix python bindings for peer_info
--- a/src/torrent_info.cpp
+++ b/src/torrent_info.cpp
@ -1066,8 +1066,15 @@ namespace {
 			return false;
 		}

+		// this is an arbitrary limit to avoid malicious torrents causing
+		// unreasaonably large allocations for the merkle hash tree
+		// the size of the tree would be max_pieces * sizeof(int) * 2
+		// which is about 6.3 MB with this limit
+		const int max_pieces = 0xC0000;
+
 		// we expect the piece hashes to be < 2 GB in size
-		if (files.num_pieces() >= std::numeric_limits<int>::max() / 20)
+		if (files.num_pieces() >= std::numeric_limits<int>::max() / 20
+			|| files.num_pieces() > max_pieces)
 		{
 			ec = errors::too_many_pieces_in_torrent;
 			// mark the torrent as invalid