fix: prevent integer underflow in amount() bounds check

Oblivionsage · Oblivionsage · commit d248417f2cca · 2025-11-13T01:52:38.000+01:00
The bounds check 'index &gt; arr.size() - 1' has an edge case bug.
When arr.size() is 0, subtracting 1 from an unsigned size_t
underflows to SIZE_MAX, so 'index &gt; SIZE_MAX' is always false.

This could theoretically allow out-of-bounds access, though it's
pretty hard to trigger in practice - would need a malformed/corrupted
unsigned_tx file that parses successfully but has no transactions.

Changed to 'arr.empty() || index &gt;= arr.size()' which handles
the edge case properly.

Found with AddressSanitizer during fuzzing.
diff --git a/src/libwalletqt/UnsignedTransaction.cpp b/src/libwalletqt/UnsignedTransaction.cpp
@@ -19,7 +19,7 @@ QString UnsignedTransaction::errorString() const
 quint64 UnsignedTransaction::amount(size_t index) const
 {
     std::vector<uint64_t> arr = m_pimpl->amount();
-    if(index > arr.size() - 1)
+    if(arr.empty() || index >= arr.size())
         return 0;
     return arr[index];
 }

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ QString UnsignedTransaction::errorString() const`
`19`	`19`	`quint64 UnsignedTransaction::amount(size_t index) const`
`20`	`20`	`{`
`21`	`21`	`std::vector<uint64_t> arr = m_pimpl->amount();`
`22`		`- if(index > arr.size() - 1)`
	`22`	`+ if(arr.empty() \|\| index >= arr.size())`
`23`	`23`	`return 0;`
`24`	`24`	`return arr[index];`
`25`	`25`	`}`