Merge bitcoin/bitcoin#22146: Reject invalid coin height and output index when loading assumeutxo

fa9ebedec3f982bb5bb459ea33d74c94d9b5cec4 Reject invalid coin height and output index when loading assumeutxo (MarcoFalke)

Pull request description:

  It should be impossible to have a coin at a height higher than the height of the snapshot block, so reject those early to avoid integer wraparounds and hash collisions later on.

  Same for the outpoint index.

  Both issues were found by fuzzing:

  * The height issue by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34793
  * The outpoint issue by my fuzz server: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34793#c2

ACKs for top commit:
  practicalswift:
    cr ACK fa9ebedec3f982bb5bb459ea33d74c94d9b5cec4: patch looks correct
  jamesob:
    crACK https://github.com/bitcoin/bitcoin/pull/22146/commits/fa9ebedec3f982bb5bb459ea33d74c94d9b5cec4
  theStack:
    Code review ACK fa9ebedec3f982bb5bb459ea33d74c94d9b5cec4
  benthecarman:
    crACK fa9ebedec3f982bb5bb459ea33d74c94d9b5cec4

Tree-SHA512: dae7caee4b3862b23ebdf2acb7edec4baf75b0dbf1409b370b1a73aa6b632b317ebfac596dcbaf4edfb1301b513f45465ea75328962460f35e2af0d7e547c9ac

1 files changed, 8 insertions, 0 deletions

diff --git a/src/validation.cpp b/src/validation.cpp
index b48e49a10b..fe4de0d218 100644
--- a/src/validation.cpp
+++ b/src/validation.cpp
@@ -4879,6 +4879,14 @@ bool ChainstateManager::PopulateAndValidateSnapshot(
                       coins_count - coins_left);
             return false;
         }
+        if (coin.nHeight > base_height ||
+            outpoint.n >= std::numeric_limits<decltype(outpoint.n)>::max() // Avoid integer wrap-around in coinstats.cpp:ApplyHash
+        ) {
+            LogPrintf("[snapshot] bad snapshot data after deserializing %d coins\n",
+                      coins_count - coins_left);
+            return false;
+        }
+
         coins_cache.EmplaceCoinInternalDANGER(std::move(outpoint), std::move(coin));
 
         --coins_left;