merged bdecode fix from RC_0_16

src/lazy_bdecode.cpp

@@ -71,8 +71,19 @@ namespace libtorrent
 				ec = bdecode_errors::expected_string;
 				return start;
 			}
+			if (val > INT64_MAX / 10)
+			{
+				ec = bdecode_errors::overflow;
+				return start;
+			}
 			val *= 10;
-			val += *start - '0';
+			int digit = *start - '0';
+			if (val > INT64_MAX - digit)
+			{
+				ec = bdecode_errors::overflow;
+				return start;
+			}
+			val += digit;
 			++start;
 		}
 		if (*start != delimiter)
@@ -139,6 +150,9 @@ namespace libtorrent
 					if (start + len + 1 > end)
 						TORRENT_FAIL_BDECODE(bdecode_errors::unexpected_eof);
 
+					if (len < 0)
+						TORRENT_FAIL_BDECODE(bdecode_errors::overflow);
+
 					++start;
 					if (start == end) TORRENT_FAIL_BDECODE(bdecode_errors::unexpected_eof);
 					lazy_entry* ent = top->dict_append(start);
@@ -201,6 +215,9 @@ namespace libtorrent
 						TORRENT_FAIL_BDECODE(e);
 					if (start + len + 1 > end)
 						TORRENT_FAIL_BDECODE(bdecode_errors::unexpected_eof);
+					if (len < 0)
+						TORRENT_FAIL_BDECODE(bdecode_errors::overflow);
+
 					++start;
 					top->construct_string(start, int(len));
 					stack.pop_back();
@@ -220,9 +237,9 @@ namespace libtorrent
 		bool negative = false;
 		if (*m_data.start == '-') negative = true;
 		bdecode_errors::error_code_enum ec = bdecode_errors::no_error;
-		parse_int(negative?m_data.start+1:m_data.start
+		parse_int(m_data.start + negative
 			, m_data.start + m_size, 'e', val, ec);
-		TORRENT_ASSERT(!ec);
+		if (ec) return 0;
 		if (negative) val = -val;
 		return val;
 	}
@@ -628,6 +645,7 @@ namespace libtorrent
 			"expected value (list, dict, int or string) in bencoded string",
 			"bencoded nesting depth exceeded",
 			"bencoded item count limit exceeded",
+			"integer overflow",
 		};
 		if (ev < 0 || ev >= int(sizeof(msgs)/sizeof(msgs[0])))
 			return "Unknown error";