Merge rust-bitcoin/rust-bitcoin#3667: Fix psbt fuzz crash

9aebb96fb9 Fix psbt fuzz crash (Sanket Kanjalkar) Pull request description: Fixes: https://github.com/rust-bitcoin/rust-bitcoin/issues/3628 This occurs when combining two PSBTs with different xpub key sources. Added a length check before indexing into slices to prevent out-of-bounds access. For some reason, the precommit hook complained about non-ascii files. I don't think any of the names here are non-ascii ACKs for top commit: apoelstra: ACK 9aebb96fb99e8e9e019663659c6eff851a62f2ce; successfully ran local tests; thanks! tcharding: ACK 9aebb96fb9 Tree-SHA512: b61274c594bc1f2ea4d04c8a7ace673a7632bb9ea31f59b56779a008c35e61281ea4f6b869990d886779e3e556932a3b2e8b015733ef18e236f12ca77e211c26
2024-11-28 00:00:12 +00:00 · 2024-11-28 00:00:12 +00:00 · a22dfc2897
parent cefcce5bbf 9aebb96fb9
commit a22dfc2897
3 changed files with 15 additions and 2 deletions
--- a/bitcoin/src/psbt/mod.rs
+++ b/bitcoin/src/psbt/mod.rs
@ -255,8 +255,9 @@ impl Psbt {
                                == derivation2[derivation2.len() - derivation1.len()..])
                    {
                        continue;
-                    } else if derivation2[..]
-                        == derivation1[derivation1.len() - derivation2.len()..]
+                    } else if derivation2.len() <= derivation1.len()
+                        && derivation2[..]
+                                == derivation1[derivation1.len() - derivation2.len()..]
                    {
                        entry.insert((fingerprint1, derivation1));
                        continue;
@ -2116,6 +2117,16 @@ mod tests {
        assert_eq!(psbt1, psbt2);
    }

+
+    // https://github.com/rust-bitcoin/rust-bitcoin/issues/3628
+    #[test]
+    fn test_combine_psbt_fuzz_3628() {
+        let mut psbt1 = hex_psbt(include_str!("../../tests/data/psbt_fuzz1.hex")).unwrap();
+        let psbt2 = hex_psbt(include_str!("../../tests/data/psbt_fuzz2.hex")).unwrap();
+
+        assert!(matches!(psbt1.combine(psbt2).unwrap_err(), Error::CombineInconsistentKeySources(_)));
+    }
+
    #[cfg(feature = "rand-std")]
    fn gen_keys() -> (PrivateKey, PublicKey, Secp256k1<All>) {
        use secp256k1::rand::thread_rng;
--- a/bitcoin/tests/data/psbt_fuzz1.hex
+++ b/bitcoin/tests/data/psbt_fuzz1.hex
@ -0,0 +1 @@
+70736274ff01000a000000ff0000000074ff4f010488b21eff02000001004a92244992244902030203030303030303030303030303030303030303030303030303030303030303f4000000000000000a000208ffffffff08080804000000000000000c080808000b0000000000010000
--- a/bitcoin/tests/data/psbt_fuzz2.hex
+++ b/bitcoin/tests/data/psbt_fuzz2.hex
@ -0,0 +1 @@
+70736274ff01000a000000ff0000000074ff4f010488b21eff02000001004a92244992244902030203030303030303030303030303030303030303030303030303030303030303f4000000000000000a000208ffffffff080808040000000000000008000000000000001000
				`@ -0,0 +1 @@`
				`70736274ff01000a000000ff0000000074ff4f010488b21eff02000001004a92244992244902030203030303030303030303030303030303030303030303030303030303030303f4000000000000000a000208ffffffff08080804000000000000000c080808000b0000000000010000`