Merge #57: Avoid heap out-of-bounds read in Node::CalcOps (test case:…

… OP_0 OP_2 OP_EQUAL) and assertion failure in ComputeType (test case: OP_0 OP_0 OP_EQUAL) a47dcc6 Add assertions: Raise assertion failure instead of doing an out-of-bounds read in case of k > sats.size() (sanket1729) 0d43166 Avoid heap out-of-bounds read in Node::CalcOps (test case: OP_0 OP_2 OP_EQUAL) and assertion failure in ComputeType (test case: OP_0 OP_0 OP_EQUAL) (practicalswift) Pull request description: Closes #12. Closes #13. Supercedes #18 ACKs for top commit: sipa: utACK a47dcc6 darosior: ACK a47dcc6 meshcollider: utACK a47dcc6 Tree-SHA512: 85ea2f791e5b6a2c80dee567895dffe386f5fe4973b97dd7102b91f2e500bf9087dcbaeafe9e635abc02b27a97918bc69ae38b6769d93f2b3a071eb976a606c8
sipa · Aug 19, 2021 · 30a44f8 · 30a44f8
2 parents 97e9279 + a47dcc6
commit 30a44f8
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/bitcoin/script/miniscript.h b/bitcoin/script/miniscript.h
@@ -519,6 +519,7 @@ struct Node {
                     next_sats.push_back(sats[sats.size() - 1] + sub->ops.sat);
                     sats = std::move(next_sats);
                 }
+                assert(k <= sats.size());
                 return {stat, sats[k], sats[0]};
             }
         }
@@ -561,6 +562,7 @@ struct Node {
                     next_sats.push_back(sats[sats.size() - 1] + sub->ss.sat);
                     sats = std::move(next_sats);
                 }
+                assert(k <= sats.size());
                 return {sats[k], sats[0]};
             }
         }
@@ -627,6 +629,7 @@ struct Node {
                 }
                 InputStack nsat = ZERO;
                 for (size_t i = 0; i < k; ++i) nsat = std::move(nsat) + ZERO;
+                assert(k <= sats.size());
                 return InputResult(std::move(nsat), std::move(sats[k]));
             }
             case NodeType::THRESH: {
@@ -643,6 +646,7 @@ struct Node {
                 for (size_t i = 0; i < sats.size(); ++i) {
                     if (i != k) nsat = Choose(std::move(nsat), std::move(sats[i]), nonmal);
                 }
+                assert(k <= sats.size());
                 return InputResult(std::move(nsat), std::move(sats[k]));
             }
             case NodeType::OLDER: {
@@ -1175,6 +1179,9 @@ inline NodeRef<Key> DecodeSingle(I& in, I last, const Ctx& ctx) {
     }
     subs.clear();
     if (last - in >= 3 && in[0].first == OP_EQUAL && ParseScriptNumber(in[1], k)) {
+        if (k < 1) {
+            return {};
+        }
         in += 2;
         while (last - in >= 2 && in[0].first == OP_ADD) {
             ++in;
@@ -1185,6 +1192,9 @@ inline NodeRef<Key> DecodeSingle(I& in, I last, const Ctx& ctx) {
         auto sub = DecodeSingle<Key>(in, last, ctx);
         if (!sub) return {};
         subs.push_back(std::move(sub));
+        if (static_cast<unsigned int>(k) > subs.size()) {
+            return {};
+        }
         std::reverse(subs.begin(), subs.end());
         return MakeNodeRef<Key>(NodeType::THRESH, std::move(subs), k);
     }