5 files changed, 51 insertions, 30 deletions

diff --git a/src/test/fuzz/FuzzedDataProvider.h b/src/test/fuzz/FuzzedDataProvider.h
index 6cbfc39bc2..8a8214bd99 100644
--- a/src/test/fuzz/FuzzedDataProvider.h
+++ b/src/test/fuzz/FuzzedDataProvider.h
@@ -209,7 +209,7 @@ T FuzzedDataProvider::ConsumeIntegralInRange(T min, T max) {
     abort();
 
   // Use the biggest type possible to hold the range and the result.
-  uint64_t range = static_cast<uint64_t>(max) - min;
+  uint64_t range = static_cast<uint64_t>(max) - static_cast<uint64_t>(min);
   uint64_t result = 0;
   size_t offset = 0;
 
@@ -230,7 +230,7 @@ T FuzzedDataProvider::ConsumeIntegralInRange(T min, T max) {
   if (range != std::numeric_limits<decltype(range)>::max())
     result = result % (range + 1);
 
-  return static_cast<T>(min + result);
+  return static_cast<T>(static_cast<uint64_t>(min) + result);
 }
 
 // Returns a floating point value in the range [Type's lowest, Type's max] by
@@ -390,7 +390,7 @@ TS FuzzedDataProvider::ConvertUnsignedToSigned(TU value) {
     return static_cast<TS>(value);
   } else {
     constexpr auto TS_min = std::numeric_limits<TS>::min();
-    return TS_min + static_cast<char>(value - TS_min);
+    return TS_min + static_cast<TS>(value - TS_min);
   }
 }
 
diff --git a/src/test/fuzz/addrman.cpp b/src/test/fuzz/addrman.cpp
index e0fa7ae908..f0035ddf21 100644
--- a/src/test/fuzz/addrman.cpp
+++ b/src/test/fuzz/addrman.cpp
@@ -300,12 +300,20 @@ FUZZ_TARGET(addrman, .init = initialize_addrman)
             });
     }
     const AddrMan& const_addr_man{addr_man};
+    std::optional<Network> network;
+    if (fuzzed_data_provider.ConsumeBool()) {
+        network = fuzzed_data_provider.PickValueInArray(ALL_NETWORKS);
+    }
     (void)const_addr_man.GetAddr(
         /*max_addresses=*/fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096),
         /*max_pct=*/fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096),
-        /*network=*/std::nullopt);
-    (void)const_addr_man.Select(fuzzed_data_provider.ConsumeBool());
-    (void)const_addr_man.Size();
+        network);
+    (void)const_addr_man.Select(fuzzed_data_provider.ConsumeBool(), network);
+    std::optional<bool> in_new;
+    if (fuzzed_data_provider.ConsumeBool()) {
+        in_new = fuzzed_data_provider.ConsumeBool();
+    }
+    (void)const_addr_man.Size(network, in_new);
     CDataStream data_stream(SER_NETWORK, PROTOCOL_VERSION);
     data_stream << const_addr_man;
 }
diff --git a/src/test/fuzz/crypto_chacha20.cpp b/src/test/fuzz/crypto_chacha20.cpp
index 3fa445096a..63c7bf3b45 100644
--- a/src/test/fuzz/crypto_chacha20.cpp
+++ b/src/test/fuzz/crypto_chacha20.cpp
@@ -28,10 +28,11 @@ FUZZ_TARGET(crypto_chacha20)
                 chacha20.SetKey32(key.data());
             },
             [&] {
-                chacha20.SetIV(fuzzed_data_provider.ConsumeIntegral<uint64_t>());
-            },
-            [&] {
-                chacha20.Seek64(fuzzed_data_provider.ConsumeIntegral<uint64_t>());
+                chacha20.Seek64(
+                    {
+                        fuzzed_data_provider.ConsumeIntegral<uint32_t>(),
+                        fuzzed_data_provider.ConsumeIntegral<uint64_t>()
+                    }, fuzzed_data_provider.ConsumeIntegral<uint32_t>());
             },
             [&] {
                 std::vector<uint8_t> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
@@ -63,17 +64,16 @@ void ChaCha20SplitFuzz(FuzzedDataProvider& provider)
     auto key_bytes = provider.ConsumeBytes<unsigned char>(32);
     std::copy(key_bytes.begin(), key_bytes.end(), key);
     uint64_t iv = provider.ConsumeIntegral<uint64_t>();
+    uint32_t iv_prefix = provider.ConsumeIntegral<uint32_t>();
     uint64_t total_bytes = provider.ConsumeIntegralInRange<uint64_t>(0, 1000000);
-    /* ~x = 2^64 - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */
-    uint64_t seek = provider.ConsumeIntegralInRange<uint64_t>(0, ~(total_bytes >> 6));
+    /* ~x = 2^BITS - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */
+    uint32_t seek = provider.ConsumeIntegralInRange<uint32_t>(0, ~(uint32_t)(total_bytes >> 6));
 
     // Initialize two ChaCha20 ciphers, with the same key/iv/position.
     ChaCha20 crypt1(key);
     ChaCha20 crypt2(key);
-    crypt1.SetIV(iv);
-    crypt1.Seek64(seek);
-    crypt2.SetIV(iv);
-    crypt2.Seek64(seek);
+    crypt1.Seek64({iv_prefix, iv}, seek);
+    crypt2.Seek64({iv_prefix, iv}, seek);
 
     // Construct vectors with data.
     std::vector<unsigned char> data1, data2;
diff --git a/src/test/fuzz/crypto_diff_fuzz_chacha20.cpp b/src/test/fuzz/crypto_diff_fuzz_chacha20.cpp
index 78fee48de6..285ea2dfe0 100644
--- a/src/test/fuzz/crypto_diff_fuzz_chacha20.cpp
+++ b/src/test/fuzz/crypto_diff_fuzz_chacha20.cpp
@@ -284,6 +284,8 @@ FUZZ_TARGET(crypto_diff_fuzz_chacha20)
 
     // ECRYPT_keysetup() doesn't set the counter and nonce to 0 while SetKey32() does
     static const uint8_t iv[8] = {0, 0, 0, 0, 0, 0, 0, 0};
+    ChaCha20::Nonce96 nonce{0, 0};
+    uint32_t counter{0};
     ECRYPT_ivsetup(&ctx, iv);
 
     LIMITED_WHILE (fuzzed_data_provider.ConsumeBool(), 3000) {
@@ -292,45 +294,56 @@ FUZZ_TARGET(crypto_diff_fuzz_chacha20)
             [&] {
                 const std::vector<unsigned char> key = ConsumeFixedLengthByteVector(fuzzed_data_provider, 32);
                 chacha20.SetKey32(key.data());
+                nonce = {0, 0};
+                counter = 0;
                 ECRYPT_keysetup(&ctx, key.data(), key.size() * 8, 0);
                 // ECRYPT_keysetup() doesn't set the counter and nonce to 0 while SetKey32() does
                 uint8_t iv[8] = {0, 0, 0, 0, 0, 0, 0, 0};
                 ECRYPT_ivsetup(&ctx, iv);
             },
             [&] {
+                uint32_t iv_prefix = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
                 uint64_t iv = fuzzed_data_provider.ConsumeIntegral<uint64_t>();
-                chacha20.SetIV(iv);
+                nonce = {iv_prefix, iv};
+                counter = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+                chacha20.Seek64(nonce, counter);
+                ctx.input[12] = counter;
+                ctx.input[13] = iv_prefix;
                 ctx.input[14] = iv;
                 ctx.input[15] = iv >> 32;
             },
             [&] {
-                uint64_t counter = fuzzed_data_provider.ConsumeIntegral<uint64_t>();
-                chacha20.Seek64(counter);
-                ctx.input[12] = counter;
-                ctx.input[13] = counter >> 32;
-            },
-            [&] {
                 uint32_t integralInRange = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096);
-                // DJB's version seeks forward to a multiple of 64 bytes after every operation. Correct for that.
-                uint64_t pos = ctx.input[12] + (((uint64_t)ctx.input[13]) << 32) + ((integralInRange + 63) >> 6);
                 std::vector<uint8_t> output(integralInRange);
                 chacha20.Keystream(output.data(), output.size());
                 std::vector<uint8_t> djb_output(integralInRange);
                 ECRYPT_keystream_bytes(&ctx, djb_output.data(), djb_output.size());
                 assert(output == djb_output);
-                chacha20.Seek64(pos);
+                // DJB's version seeks forward to a multiple of 64 bytes after every operation. Correct for that.
+                uint32_t old_counter = counter;
+                counter += (integralInRange + 63) >> 6;
+                if (counter < old_counter) ++nonce.first;
+                if (integralInRange & 63) {
+                    chacha20.Seek64(nonce, counter);
+                }
+                assert(counter == ctx.input[12]);
             },
             [&] {
                 uint32_t integralInRange = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096);
-                // DJB's version seeks forward to a multiple of 64 bytes after every operation. Correct for that.
-                uint64_t pos = ctx.input[12] + (((uint64_t)ctx.input[13]) << 32) + ((integralInRange + 63) >> 6);
                 std::vector<uint8_t> output(integralInRange);
                 const std::vector<uint8_t> input = ConsumeFixedLengthByteVector(fuzzed_data_provider, output.size());
                 chacha20.Crypt(input.data(), output.data(), input.size());
                 std::vector<uint8_t> djb_output(integralInRange);
                 ECRYPT_encrypt_bytes(&ctx, input.data(), djb_output.data(), input.size());
                 assert(output == djb_output);
-                chacha20.Seek64(pos);
+                // DJB's version seeks forward to a multiple of 64 bytes after every operation. Correct for that.
+                uint32_t old_counter = counter;
+                counter += (integralInRange + 63) >> 6;
+                if (counter < old_counter) ++nonce.first;
+                if (integralInRange & 63) {
+                    chacha20.Seek64(nonce, counter);
+                }
+                assert(counter == ctx.input[12]);
             });
     }
 }
diff --git a/src/test/fuzz/netaddress.cpp b/src/test/fuzz/netaddress.cpp
index 049ae02f4d..5141d3362d 100644
--- a/src/test/fuzz/netaddress.cpp
+++ b/src/test/fuzz/netaddress.cpp
@@ -84,7 +84,7 @@ FUZZ_TARGET(netaddress)
     (void)CServiceHash(0, 0)(service);
 
     const CNetAddr other_net_addr = ConsumeNetAddr(fuzzed_data_provider);
-    (void)net_addr.GetReachabilityFrom(&other_net_addr);
+    (void)net_addr.GetReachabilityFrom(other_net_addr);
     (void)sub_net.Match(other_net_addr);
 
     const CService other_service{net_addr, fuzzed_data_provider.ConsumeIntegral<uint16_t>()};