New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix invalid memory access in CScript::operator+= (guidovranken, ajtowns) #11284
Conversation
Concept ACK. Nice! |
ACK - good spot. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK 84a8b8ab28cf379f1909f0bfc63c9eb25fba4dbd
I was going to suggest just outlawing adding a CScript to itself, but this fix is so small there's no point doing anything else.
src/script/script.h
Outdated
@@ -420,6 +420,7 @@ class CScript : public CScriptBase | |||
|
|||
CScript& operator+=(const CScript& b) | |||
{ | |||
reserve(size()+b.size()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ultranit: spaces around +
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ooops. Fixed. Ran the clang-format snippet over it; also changed the declaration of "hex" in the test code.
84a8b8a
to
d601f16
Compare
Testing with the updated script_tests.cpp -- without reserve():
with reserve():
|
I believe common practice would be to credit the reporter (@guidovranken) in the commit message. |
utACK d601f16 |
…vranken, ajtowns) d601f16 Fix invalid memory access in CScript::operator+= (Anthony Towns) Pull request description: This is a fix for #11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended). The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid. A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed... Tree-SHA512: 4720d0c17463fdc43b344c45fe603423d20b30d48da1b9d85eeedc505d7f34db1ed5495ef1556459ae962a94717e3c6e8fc441763771901efea210d01322b7ef
… (guidovranken, ajtowns) d601f16 Fix invalid memory access in CScript::operator+= (Anthony Towns) Pull request description: This is a fix for bitcoin#11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended). The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid. A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed... Tree-SHA512: 4720d0c17463fdc43b344c45fe603423d20b30d48da1b9d85eeedc505d7f34db1ed5495ef1556459ae962a94717e3c6e8fc441763771901efea210d01322b7ef
… (guidovranken, ajtowns) d601f16 Fix invalid memory access in CScript::operator+= (Anthony Towns) Pull request description: This is a fix for bitcoin#11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended). The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid. A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed... Tree-SHA512: 4720d0c17463fdc43b344c45fe603423d20b30d48da1b9d85eeedc505d7f34db1ed5495ef1556459ae962a94717e3c6e8fc441763771901efea210d01322b7ef
… (guidovranken, ajtowns) d601f16 Fix invalid memory access in CScript::operator+= (Anthony Towns) Pull request description: This is a fix for bitcoin#11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended). The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid. A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed... Tree-SHA512: 4720d0c17463fdc43b344c45fe603423d20b30d48da1b9d85eeedc505d7f34db1ed5495ef1556459ae962a94717e3c6e8fc441763771901efea210d01322b7ef
… (guidovranken, ajtowns) d601f16 Fix invalid memory access in CScript::operator+= (Anthony Towns) Pull request description: This is a fix for bitcoin#11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended). The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid. A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed... Tree-SHA512: 4720d0c17463fdc43b344c45fe603423d20b30d48da1b9d85eeedc505d7f34db1ed5495ef1556459ae962a94717e3c6e8fc441763771901efea210d01322b7ef
… (guidovranken, ajtowns) d601f16 Fix invalid memory access in CScript::operator+= (Anthony Towns) Pull request description: This is a fix for bitcoin#11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended). The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid. A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed... Tree-SHA512: 4720d0c17463fdc43b344c45fe603423d20b30d48da1b9d85eeedc505d7f34db1ed5495ef1556459ae962a94717e3c6e8fc441763771901efea210d01322b7ef
… (guidovranken, ajtowns) d601f16 Fix invalid memory access in CScript::operator+= (Anthony Towns) Pull request description: This is a fix for bitcoin#11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended). The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid. A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed... Tree-SHA512: 4720d0c17463fdc43b344c45fe603423d20b30d48da1b9d85eeedc505d7f34db1ed5495ef1556459ae962a94717e3c6e8fc441763771901efea210d01322b7ef
This is a fix for #11114 -- invoking "s += s" gets turned into "s.insert(s.end(), s.begin(), s.end())" which can result in an invalid memory access is s.capacity() < 2*s.size() (because s gets resized and possibly moved, so s.begin() and s.end() become invalid references when reading the values to be appended).
The fix is straightforward: reserve enough space in advance, so that insert() doesn't need to resize and thus its arguments remain valid.
A simple test case is added as well; though you probably need to run it via valgrind to actually catch the problem when it's not fixed...