From 0651ad651ed50c4bc932034f64c38314aeaabae5 Mon Sep 17 00:00:00 2001 From: Emmanuel T Odeke Date: Sun, 3 Dec 2023 23:40:34 -0800 Subject: [PATCH] fix(client/tx): avoid integer uint64->int64 overflow by big.Int conversion Avoids a potential uint64->int64 overflow when creating math.LegacyDec, instead opting to use big.Int.SetUint64(x) Fixes https://github.com/cosmos/cosmos-sdk/security/code-scanning/9412 --- CHANGELOG.md | 1 + client/tx/factory.go | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00573f014843..1a524c978dc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -71,6 +71,7 @@ Ref: https://keepachangelog.com/en/1.0.0/ ### Bug Fixes +* (client) [#18622](https://github.com/cosmos/cosmos-sdk/pull/18622) Fixed a potential under/overflow from `uint64->int64` when computing gas fees as a LegacyDec. * (client/keys) [#18562](https://github.com/cosmos/cosmos-sdk/pull/18562) `keys delete` won't terminate when a key is not found * (server) [#18537](https://github.com/cosmos/cosmos-sdk/pull/18537) Fix panic when defining minimum gas config as `100stake;100uatom`. Use a `,` delimiter instead of `;`. Fixes the server config getter to use the correct delimiter. * [#18531](https://github.com/cosmos/cosmos-sdk/pull/18531) Baseapp's `GetConsensusParams` returns an empty struct instead of panicking if no params are found. diff --git a/client/tx/factory.go b/client/tx/factory.go index e3ca6041d9e0..76829eda7745 100644 --- a/client/tx/factory.go +++ b/client/tx/factory.go @@ -3,6 +3,7 @@ package tx import ( "errors" "fmt" + "math/big" "os" "strings" @@ -311,7 +312,9 @@ func (f Factory) BuildUnsignedTx(msgs ...sdk.Msg) (client.TxBuilder, error) { return nil, errors.New("cannot provide both fees and gas prices") } - glDec := math.LegacyNewDec(int64(f.gas)) + // f.gas is a uint64 and we should convert to LegacyDec + // without the risk of under/overflow via uint64->int64. + glDec := math.LegacyNewDecFromBigInt(new(big.Int).SetUint64(f.gas)) // Derive the fees based on the provided gas prices, where // fee = ceil(gasPrice * gasLimit).