From 0b78cb5e6bd4242c6fb773413a2ce62af9a03ae3 Mon Sep 17 00:00:00 2001
From: SomberNight <somber.night@protonmail.com>
Date: Tue, 12 Jun 2018 14:33:22 +0200
Subject: [PATCH] stricter tx deserialization: forbid output amount values over
 21 million btc

---
 lib/bitcoin.py     | 1 +
 lib/transaction.py | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/lib/bitcoin.py b/lib/bitcoin.py
index da4048ca2..63e2514dc 100644
--- a/lib/bitcoin.py
+++ b/lib/bitcoin.py
@@ -38,6 +38,7 @@ from .crypto import Hash, sha256, hash_160
 
 COINBASE_MATURITY = 100
 COIN = 100000000
+TOTAL_COIN_SUPPLY_LIMIT_IN_BTC = 21000000
 
 # supported types of transaction outputs
 TYPE_ADDRESS = 0
diff --git a/lib/transaction.py b/lib/transaction.py
index 6fdd60800..c491f99b5 100644
--- a/lib/transaction.py
+++ b/lib/transaction.py
@@ -534,6 +534,8 @@ def parse_witness(vds, txin, full_parse: bool):
 def parse_output(vds, i):
     d = {}
     d['value'] = vds.read_int64()
+    if d['value'] > TOTAL_COIN_SUPPLY_LIMIT_IN_BTC * COIN:
+        raise SerializationError('invalid output amount (too large)')
     scriptPubKey = vds.read_bytes(vds.read_compact_size())
     d['type'], d['address'] = get_address_from_output_script(scriptPubKey)
     d['scriptPubKey'] = bh2u(scriptPubKey)