From 0f459d868d85053f1cc066ea9099793f88cbd655 Mon Sep 17 00:00:00 2001
From: Kaz Wesley <kaz@lambdaverse.org>
Date: Thu, 15 Nov 2018 17:21:28 -0800
Subject: [PATCH] fix an undefined behavior in uint::SetHex

Decrementing psz beyond the beginning of the string is UB, even though
the out-of-bounds pointer is never dereferenced.
---
 src/uint256.cpp | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/uint256.cpp b/src/uint256.cpp
index d9da668036..b164e8678b 100644
--- a/src/uint256.cpp
+++ b/src/uint256.cpp
@@ -37,16 +37,15 @@ void base_blob<BITS>::SetHex(const char* psz)
         psz += 2;
 
     // hex string to uint
-    const char* pbegin = psz;
-    while (::HexDigit(*psz) != -1)
-        psz++;
-    psz--;
+    size_t digits = 0;
+    while (::HexDigit(psz[digits]) != -1)
+        digits++;
     unsigned char* p1 = (unsigned char*)data;
     unsigned char* pend = p1 + WIDTH;
-    while (psz >= pbegin && p1 < pend) {
-        *p1 = ::HexDigit(*psz--);
-        if (psz >= pbegin) {
-            *p1 |= ((unsigned char)::HexDigit(*psz--) << 4);
+    while (digits > 0 && p1 < pend) {
+        *p1 = ::HexDigit(psz[--digits]);
+        if (digits > 0) {
+            *p1 |= ((unsigned char)::HexDigit(psz[--digits]) << 4);
             p1++;
         }
     }