From eeec5290316fa78974c4ef5e8cfb7bdf7a08c09c Mon Sep 17 00:00:00 2001 From: Matt Morehouse Date: Tue, 17 Oct 2023 10:37:41 -0500 Subject: [PATCH] bolt11: check return value of pull_all Otherwise, if pull_all fails, we attempt to create a script from NULL, causing a UBSan report: bitcoin/script.c:29:28: runtime error: null pointer passed as argument 2, which is declared to never be null Corpus input bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 triggers the UBSan report, but we didn't previously realize this because UBSan has been disabled in the CI run. We rename the input to indicate its usefulness as a permanent regression test. --- common/bolt11.c | 2 ++ ...d8cfd1ac6 => crash-bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6} | 0 2 files changed, 2 insertions(+) rename tests/fuzz/corpora/fuzz-bolt11/{bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 => crash-bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6} (100%) diff --git a/common/bolt11.c b/common/bolt11.c index 433a73d3fbd6..c23a74641f2f 100644 --- a/common/bolt11.c +++ b/common/bolt11.c @@ -390,6 +390,8 @@ static const char *decode_f(struct bolt11 *b11, fallback = scriptpubkey_p2sh_hash(b11, shash); } else if (version < 17) { u8 *f = pull_all(tmpctx, hu5, data, field_len, false, &err); + if (!f) + return err; if (version == 0) { if (tal_count(f) != 20 && tal_count(f) != 32) return tal_fmt(b11, diff --git a/tests/fuzz/corpora/fuzz-bolt11/bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 b/tests/fuzz/corpora/fuzz-bolt11/crash-bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 similarity index 100% rename from tests/fuzz/corpora/fuzz-bolt11/bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 rename to tests/fuzz/corpora/fuzz-bolt11/crash-bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6