Merge branch 'hotfix-5908-5909-rc' into 'release-3.1'

5908, 5909

See merge request !590

modules/global-db/dap_chain_global_db_remote.c

@@ -301,7 +301,12 @@ dap_store_obj_t *dap_store_unpacket_multiple(const dap_store_obj_pkt_t *a_pkt, s
         return NULL;
     uint64_t l_offset = 0;
     uint32_t l_count = a_pkt->obj_count, l_cur_count;
-    dap_store_obj_t *l_store_obj = DAP_NEW_Z_SIZE(dap_store_obj_t, l_count * sizeof(struct dap_store_obj));
+    uint64_t l_size = l_count <= UINT32_MAX ? l_count * sizeof(struct dap_store_obj) : 0;
+    dap_store_obj_t *l_store_obj = DAP_NEW_Z_SIZE(dap_store_obj_t, l_size);
+    if (!l_store_obj || !l_size) {
+        log_it(L_ERROR, "Invalid size: can't allocate %lu bytes", l_size);
+        return NULL;
+    }
     for(l_cur_count = 0; l_cur_count < l_count; ++l_cur_count) {
         dap_store_obj_t *l_obj = l_store_obj + l_cur_count;
         uint16_t l_str_length;

modules/type/dag/dap_chain_cs_dag.c

@@ -761,9 +761,15 @@ static bool s_event_verify_size(dap_chain_cs_dag_event_t *a_event, size_t a_even
     size_t l_sign_offset = dap_chain_cs_dag_event_calc_size_excl_signs(a_event, a_event_size);
     if (l_sign_offset >= a_event_size)
         return false;
+    if (a_event->header.signs_count > UINT16_MAX)
+        return false;
     for (int i = 0; i < a_event->header.signs_count; i++) {
         dap_sign_t *l_sign = (dap_sign_t *)((uint8_t *)a_event + l_sign_offset);
         l_sign_offset += dap_sign_get_size(l_sign);
+        if (l_sign_offset > a_event_size) {
+            log_it(L_ERROR, "%d of atom signes don't fit in the atom size %zd", a_event->header.signs_count, a_event_size);
+            return false;
+        }
     }
     return l_sign_offset == a_event_size;
 }