Avoid heap out-of-bounds read in Node::CalcOps (test case: OP_0 OP_2 …

…OP_EQUAL) and assertion failure in ComputeType (test case: OP_0 OP_0 OP_EQUAL) Closes #12. Closes #13. Co-authored-by: sanket1729 <sanket1729@gmail.com>
sipa · Aug 5, 2021 · 0d43166 · 0d43166
1 parent f7de269
commit 0d43166
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/bitcoin/script/miniscript.h b/bitcoin/script/miniscript.h
@@ -1167,6 +1167,9 @@ inline NodeRef<Key> DecodeSingle(I& in, I last, const Ctx& ctx) {
     }
     subs.clear();
     if (last - in >= 3 && in[0].first == OP_EQUAL && ParseScriptNumber(in[1], k)) {
+        if (k < 1) {
+            return {};
+        }
         in += 2;
         while (last - in >= 2 && in[0].first == OP_ADD) {
             ++in;
@@ -1177,6 +1180,9 @@ inline NodeRef<Key> DecodeSingle(I& in, I last, const Ctx& ctx) {
         auto sub = DecodeSingle<Key>(in, last, ctx);
         if (!sub) return {};
         subs.push_back(std::move(sub));
+        if (static_cast<unsigned int>(k) > subs.size()) {
+            return {};
+        }
         std::reverse(subs.begin(), subs.end());
         return MakeNodeRef<Key>(NodeType::THRESH, std::move(subs), k);
     }