From 5b021a849e2d61edc5c0803b492d7d362f42b3e0 Mon Sep 17 00:00:00 2001
From: arvidn <arvid@libtorrent.org>
Date: Tue, 2 Apr 2019 11:01:05 +0200
Subject: [PATCH] use a more restrictive limit on number of pieces allowed in a
 torrent

---
 ChangeLog            | 1 +
 src/torrent_info.cpp | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index c3da1d05a..266ac97a9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+	* tighten up various input validation checks
 	* fix create_torrent python binding
 	* update symlinks to conform to BEP 47
 	* fix python bindings for peer_info
diff --git a/src/torrent_info.cpp b/src/torrent_info.cpp
index 53f2983bc..eb124a3b1 100644
--- a/src/torrent_info.cpp
+++ b/src/torrent_info.cpp
@@ -1066,8 +1066,15 @@ namespace {
 			return false;
 		}
 
+		// this is an arbitrary limit to avoid malicious torrents causing
+		// unreasaonably large allocations for the merkle hash tree
+		// the size of the tree would be max_pieces * sizeof(int) * 2
+		// which is about 6.3 MB with this limit
+		const int max_pieces = 0xC0000;
+
 		// we expect the piece hashes to be < 2 GB in size
-		if (files.num_pieces() >= std::numeric_limits<int>::max() / 20)
+		if (files.num_pieces() >= std::numeric_limits<int>::max() / 20
+			|| files.num_pieces() > max_pieces)
 		{
 			ec = errors::too_many_pieces_in_torrent;
 			// mark the torrent as invalid