milksad
/
rust-bitcoin-unsafe-fast
14
0
Fork 0
Code Issues Pull Requests Activity

Merge pull request #25 from neosilky/panic-fix 

Sanity checks for vector length
This commit is contained in:
Andrew Poelstra 2017-06-07 16:07:53 +00:00 committed by GitHub
parent 9a0aeb8646 3cf1ccf8f8
commit 287d285214
4 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fuzz/.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
target
corpus
artifacts

22
fuzz/Cargo.toml Normal file
View File

@ -0,0 +1,22 @@
[package]
name = "bitcoin-fuzz"
version = "0.0.1"
authors = ["Automatically generated"]
publish = false
[package.metadata]
cargo-fuzz = true
[dependencies.bitcoin]
path = ".."
[dependencies.libfuzzer-sys]
git = "https://github.com/rust-fuzz/libfuzzer-sys.git"
# Prevent this from interfering with workspaces
[workspace]
members = ["."]
[[bin]]
name = "fuzzer_script_1"
path = "fuzzers/fuzzer_script_1.rs"

13
fuzz/fuzzers/fuzzer_script_1.rs Normal file
View File

@ -0,0 +1,13 @@
#![no_main]
#[macro_use] extern crate libfuzzer_sys;
extern crate bitcoin;
type BResult = Result<bitcoin::blockdata::script::Script, bitcoin::util::Error>;
//type BResult = Result<bitcoin::blockdata::transaction::Transaction, bitcoin::util::Error>;
//type BResult = Result<bitcoin::blockdata::transaction::TxIn, bitcoin::util::Error>;
//type BResult = Result<bitcoin::blockdata::transaction::TxOut, bitcoin::util::Error>;
//type BResult = Result<bitcoin::network::constants::Network, bitcoin::util::Error>;
fuzz_target!(|data: &[u8]| {
let _: BResult = bitcoin::network::serialize::deserialize(data);
});

7
src/network/encodable.rs
View File

@ -188,7 +188,9 @@ impl<D: SimpleDecoder, T: ConsensusDecodable<D>> ConsensusDecodable<D> for Vec<T
#[inline] #[inline]
fn consensus_decode(d: &mut D) -> Result<Vec<T>, D::Error> { fn consensus_decode(d: &mut D) -> Result<Vec<T>, D::Error> {
let VarInt(len): VarInt = try!(ConsensusDecodable::consensus_decode(d)); let VarInt(len): VarInt = try!(ConsensusDecodable::consensus_decode(d));
let byte_size = len as usize * mem::size_of::<T>(); let byte_size = try!((len as usize)
.checked_mul(mem::size_of::<T>())
.ok_or(d.error("Invalid length".to_owned())));
if byte_size > MAX_VEC_SIZE { if byte_size > MAX_VEC_SIZE {
return Err(d.error(format!("tried to allocate vec of size {} (max {})", byte_size, MAX_VEC_SIZE))); return Err(d.error(format!("tried to allocate vec of size {} (max {})", byte_size, MAX_VEC_SIZE)));
} }
@ -208,6 +210,9 @@ impl<D: SimpleDecoder, T: ConsensusDecodable<D>> ConsensusDecodable<D> for Box<[
fn consensus_decode(d: &mut D) -> Result<Box<[T]>, D::Error> { fn consensus_decode(d: &mut D) -> Result<Box<[T]>, D::Error> {
let VarInt(len): VarInt = try!(ConsensusDecodable::consensus_decode(d)); let VarInt(len): VarInt = try!(ConsensusDecodable::consensus_decode(d));
let len = len as usize; let len = len as usize;
if len > MAX_VEC_SIZE {
return Err(d.error(format!("tried to allocate vec of size {} (max {})", len, MAX_VEC_SIZE)));
}
let mut ret = Vec::with_capacity(len); let mut ret = Vec::with_capacity(len);
for _ in 0..len { ret.push(try!(ConsensusDecodable::consensus_decode(d))); } for _ in 0..len { ret.push(try!(ConsensusDecodable::consensus_decode(d))); }
Ok(ret.into_boxed_slice()) Ok(ret.into_boxed_slice())