Skip to content

Commit

Permalink
Avoid heap out-of-bounds read in Node::CalcOps (test case: OP_0 OP_2 …
Browse files Browse the repository at this point in the history 
…OP_EQUAL) and assertion failure in ComputeType (test case: OP_0 OP_0 OP_EQUAL)

Closes sipa#12.

Closes sipa#13.

Co-authored-by: sanket1729 <sanket1729@gmail.com>
  • Loading branch information
@practicalswift @sanket1729 @meshcollider
2 people authored and meshcollider committed Aug 20, 2021
1 parent 97e9279 commit 9a2c4b6
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions bitcoin/script/miniscript.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1175,6 +1175,9 @@ inline NodeRef<Key> DecodeSingle(I& in, I last, const Ctx& ctx) {
}
subs.clear();
if (last - in >= 3 && in[0].first == OP_EQUAL && ParseScriptNumber(in[1], k)) {
if (k < 1) {
return {};
}
in += 2;
while (last - in >= 2 && in[0].first == OP_ADD) {
++in;
Expand All @@ -1185,6 +1188,9 @@ inline NodeRef<Key> DecodeSingle(I& in, I last, const Ctx& ctx) {
auto sub = DecodeSingle<Key>(in, last, ctx);
if (!sub) return {};
subs.push_back(std::move(sub));
if (static_cast<unsigned int>(k) > subs.size()) {
return {};
}
std::reverse(subs.begin(), subs.end());
return MakeNodeRef<Key>(NodeType::THRESH, std::move(subs), k);
}
Expand Down

0 comments on commit 9a2c4b6

Please sign in to comment.