diff options
| author | Antoine Poinsot <darosior@protonmail.com> | 2023-11-09 14:53:15 +0100 |
|---|---|---|
| committer | Antoine Poinsot <darosior@protonmail.com> | 2023-12-31 16:19:56 +0100 |
| commit | a44808fb437864878c2d9696b8a96193091446ee (patch) | |
| tree | 4e424889607809ce8216e68a21be6c6cae37c9da /src/wallet | |
| parent | 4b1196a9855dcd188a24f393aa2fa21e2d61f061 (diff) | |
fuzz: rule-out too deep derivation paths in descriptor parsing targets
This fixes the reported timeouts and direct the target cycles toward what it's intended to fuzz: the descriptor syntax.
Diffstat (limited to 'src/wallet')
| -rw-r--r-- | src/wallet/test/fuzz/scriptpubkeyman.cpp | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/wallet/test/fuzz/scriptpubkeyman.cpp b/src/wallet/test/fuzz/scriptpubkeyman.cpp index b0c955f482..228e9629ed 100644 --- a/src/wallet/test/fuzz/scriptpubkeyman.cpp +++ b/src/wallet/test/fuzz/scriptpubkeyman.cpp @@ -49,9 +49,21 @@ void initialize_spkm() MOCKED_DESC_CONVERTER.Init(); } +/** + * Key derivation is expensive. Deriving deep derivation paths take a lot of compute and we'd rather spend time + * elsewhere in this target, like on actually fuzzing the DescriptorScriptPubKeyMan. So rule out strings which could + * correspond to a descriptor containing a too large derivation path. + */ +static bool TooDeepDerivPath(std::string_view desc) +{ + const FuzzBufferType desc_buf{reinterpret_cast<const unsigned char *>(desc.data()), desc.size()}; + return HasDeepDerivPath(desc_buf); +} + static std::optional<std::pair<WalletDescriptor, FlatSigningProvider>> CreateWalletDescriptor(FuzzedDataProvider& fuzzed_data_provider) { const std::string mocked_descriptor{fuzzed_data_provider.ConsumeRandomLengthString()}; + if (TooDeepDerivPath(mocked_descriptor)) return {}; const auto desc_str{MOCKED_DESC_CONVERTER.GetDescriptor(mocked_descriptor)}; if (!desc_str.has_value()) return std::nullopt; |