From 89831ef7919f341f8aefa41f09e55d47926c6577 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Mon, 2 Oct 2017 14:46:16 +0200 Subject: [PATCH] Merge #11284: Fix invalid memory access in CScript::operator+= (guidovranken, ajtowns) d601f16 Fix invalid memory access in CScript::operator+= (Anthony Towns) Pull request description: This is a fix for #11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended). The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid. A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed... Tree-SHA512: 4720d0c17463fdc43b344c45fe603423d20b30d48da1b9d85eeedc505d7f34db1ed5495ef1556459ae962a94717e3c6e8fc441763771901efea210d01322b7ef --- src/script/script.h | 1 + src/test/script_tests.cpp | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/src/script/script.h b/src/script/script.h index 6643e12197fe84..7c543bb7bb1c80 100644 --- a/src/script/script.h +++ b/src/script/script.h @@ -420,6 +420,7 @@ class CScript : public CScriptBase CScript& operator+=(const CScript& b) { + reserve(size() + b.size()); insert(end(), b.begin(), b.end()); return *this; } diff --git a/src/test/script_tests.cpp b/src/test/script_tests.cpp index 71565ce5a5797d..40a4b60e064cc6 100644 --- a/src/test/script_tests.cpp +++ b/src/test/script_tests.cpp @@ -1174,4 +1174,21 @@ BOOST_AUTO_TEST_CASE(script_FindAndDelete) BOOST_CHECK(s == expect); } +BOOST_AUTO_TEST_CASE(script_can_append_self) +{ + CScript s, d; + + s = ScriptFromHex("00"); + s += s; + d = ScriptFromHex("0000"); + BOOST_CHECK(s == d); + + // check doubling a script that's large enough to require reallocation + static const char hex[] = "04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f"; + s = CScript() << ParseHex(hex) << OP_CHECKSIG; + d = CScript() << ParseHex(hex) << OP_CHECKSIG << ParseHex(hex) << OP_CHECKSIG; + s += s; + BOOST_CHECK(s == d); +} + BOOST_AUTO_TEST_SUITE_END()