In the function __txn_next_elem, the current txn->elementIndex checks to ensure that it's different from MAX_ELEMS.
So the maximum authorized value will be txn->elementIndex = 19 if MAX_ELEMS == 20.
Later in the function, if the condition txn->elements[txn->elementIndex].elemType == TXN_ELEM_SC_OUTPUT|TXN_ELEM_SF_OUTPUT|TXN_ELEM_MINER_FEE is valid with the previous maximum values, the line containing txn->elements[txn->elementIndex + 1].elemType will be executed. This will result in a write at index 20 of an array of size 20 (considering the previous value for MAX_ELEMS).
Recommendation: This can be fixed by adding a check to ensure that the write can happen within array boundaries.
In the function
__txn_next_elem
, the currenttxn->elementIndex
checks to ensure that it's different fromMAX_ELEMS
.So the maximum authorized value will be
txn->elementIndex = 19
ifMAX_ELEMS == 20
. Later in the function, if the conditiontxn->elements[txn->elementIndex].elemType == TXN_ELEM_SC_OUTPUT|TXN_ELEM_SF_OUTPUT|TXN_ELEM_MINER_FEE
is valid with the previous maximum values, the line containingtxn->elements[txn->elementIndex + 1].elemType
will be executed. This will result in a write at index 20 of an array of size 20 (considering the previous value forMAX_ELEMS
).Recommendation: This can be fixed by adding a check to ensure that the write can happen within array boundaries.