From fab99865c0e62468a1b55d7e467398cc2343121b Mon Sep 17 00:00:00 2001
From: MarcoFalke <falke.marco@gmail.com>
Date: Sun, 4 Jul 2021 16:38:51 +0200
Subject: fuzz: Improve ConsumeTxDestination

* Assert when a type is missing
* Add missing WitnessV1Taproot
* Limit WitnessUnknown to version [2, 16], to avoid abiguity
* Limit WitnessUnknown to size [2, 40], to avoid invalid sizes
---
 src/test/fuzz/util.cpp | 16 ++++++++++++----
 src/test/fuzz/util.h   |  3 ++-
 2 files changed, 14 insertions(+), 5 deletions(-)

(limited to 'src/test')

diff --git a/src/test/fuzz/util.cpp b/src/test/fuzz/util.cpp
index a71b7e32fd..ece3214ed5 100644
--- a/src/test/fuzz/util.cpp
+++ b/src/test/fuzz/util.cpp
@@ -2,6 +2,7 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
+#include <pubkey.h>
 #include <test/fuzz/util.h>
 #include <test/util/script.h>
 #include <util/rbf.h>
@@ -308,7 +309,7 @@ uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept
 CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) noexcept
 {
     CTxDestination tx_destination;
-    CallOneOf(
+    const size_t call_size{CallOneOf(
         fuzzed_data_provider,
         [&] {
             tx_destination = CNoDestination{};
@@ -325,13 +326,20 @@ CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) no
         [&] {
             tx_destination = WitnessV0KeyHash{ConsumeUInt160(fuzzed_data_provider)};
         },
+        [&] {
+            tx_destination = WitnessV1Taproot{XOnlyPubKey{ConsumeUInt256(fuzzed_data_provider)}};
+        },
         [&] {
             WitnessUnknown witness_unknown{};
-            witness_unknown.version = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
-            const std::vector<uint8_t> witness_unknown_program_1 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);
+            witness_unknown.version = fuzzed_data_provider.ConsumeIntegralInRange(2, 16);
+            std::vector<uint8_t> witness_unknown_program_1{fuzzed_data_provider.ConsumeBytes<uint8_t>(40)};
+            if (witness_unknown_program_1.size() < 2) {
+                witness_unknown_program_1 = {0, 0};
+            }
             witness_unknown.length = witness_unknown_program_1.size();
             std::copy(witness_unknown_program_1.begin(), witness_unknown_program_1.end(), witness_unknown.program);
             tx_destination = witness_unknown;
-        });
+        })};
+    Assert(call_size == std::variant_size_v<CTxDestination>);
     return tx_destination;
 }
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
index 60dc9050fe..9f09395a9a 100644
--- a/src/test/fuzz/util.h
+++ b/src/test/fuzz/util.h
@@ -37,7 +37,7 @@
 #include <vector>
 
 template <typename... Callables>
-void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
+size_t CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
 {
     constexpr size_t call_size{sizeof...(callables)};
     static_assert(call_size >= 1);
@@ -45,6 +45,7 @@ void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
 
     size_t i{0};
     ((i++ == call_index ? callables() : void()), ...);
+    return call_size;
 }
 
 template <typename Collection>
-- 
cgit v1.2.3