The parse_z function should fail when parsing a number that does not fit in 64 bits.

[chambart]

Numbers larger than 2^64 are truncated by parse_z. It's ok not to be able to parse it, but this should be an error rather than silently dropping some bits. This could be exploited by an attacker to trick the user into signing a transaction with a small amount while the real one is a lot larger. Of course right now this can't be exploited because there are not enough tokens on the network to account for such a transfer.

ledger-app-tezos/src/operations.c

Lines 70 to 82 in 1b19a26

	static inline uint64_t parse_z(const void *data, size_t *ix, size_t length, uint32_t lineno) {
	uint64_t acc = 0;
	uint64_t shift = 0;
	while (true) {
	uint64_t byte = next_byte(data, ix, length, lineno);
	acc |= (byte & 0x7F) << shift;
	shift += 7;
	if (!(byte & 0x80)) {
	break;
	}
	}
	return acc;
	}

[jhartzell42]

As far as we know, this isn't exploitable, as the protocol would not incorporate such an operation, but we will fix this soon.