diff options
| author | Andrew Chow <github@achow101.com> | 2022-09-21 13:03:26 -0400 |
|---|---|---|
| committer | Andrew Chow <github@achow101.com> | 2022-09-21 13:17:07 -0400 |
| commit | 2b2c970627f7b343dd07428bd73a146f175e3af9 (patch) | |
| tree | 9a12456822df6cd273bbc5db9eed5ebecb3443e0 | |
| parent | 74e54cc2a337c1f9b4593c43d667e95847721f1e (diff) | |
| parent | 648f6950cd8d9ac767d76a1e302f37c611936a7a (diff) | |
Merge bitcoin/bitcoin#26149: Fix assert failure in miniscript string parsing
648f6950cd8d9ac767d76a1e302f37c611936a7a Correct sanity-checking script_size calculation (Pieter Wuille)
Pull request description:
Fix a bug in the script_size sanity-check in the miniscript string parser, found by oss-fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51636, and introduced in e8cc2e4afc1142aa2b3da19cd5c17deea9963244 (#25540).
This bug would cause an assertion failure when feeding a miniscript with a `thresh(k,...)` fragment, with k >= 128, to an RPC.
ACKs for top commit:
darosior:
utACK 648f6950cd8d9ac767d76a1e302f37c611936a7a
achow101:
ACK 648f6950cd8d9ac767d76a1e302f37c611936a7a
Tree-SHA512: d86a0721758cd1e42ef02050b542f0935efdc19447a1ca76a3ade96352a6ee8261eef3d4a5cbdec77bf0ad14dfed42e9eb6bd4246b816a9f6f06d786900da9e7
| -rw-r--r-- | src/script/miniscript.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/script/miniscript.h b/src/script/miniscript.h index ab25fa67b7..c4f41e0adf 100644 --- a/src/script/miniscript.h +++ b/src/script/miniscript.h @@ -1221,7 +1221,7 @@ inline NodeRef<Key> Parse(Span<const char> in, const Ctx& ctx) // n = 1 here because we read the first WRAPPED_EXPR before reaching THRESH to_parse.emplace_back(ParseContext::THRESH, 1, k); to_parse.emplace_back(ParseContext::WRAPPED_EXPR, -1, -1); - script_size += 2 + (k > 16); + script_size += 2 + (k > 16) + (k > 0x7f) + (k > 0x7fff) + (k > 0x7fffff); } else if (Const("andor(", in)) { to_parse.emplace_back(ParseContext::ANDOR, -1, -1); to_parse.emplace_back(ParseContext::CLOSE_BRACKET, -1, -1); |