[test] demonstrate nullptr deref on short id collision

dergoegge · dergoegge · commit c6580c058a54 · 2024-04-03T12:06:56.000+01:00
diff --git a/src/blockencodings.cpp b/src/blockencodings.cpp
@@ -18,7 +18,7 @@
 #include <unordered_map>
 
 CBlockHeaderAndShortTxIDs::CBlockHeaderAndShortTxIDs(const CBlock& block) :
-        nonce(GetRand<uint64_t>()),
+        nonce(0),
         shorttxids(block.vtx.size() - 1), prefilledtxn(1), header(block) {
     FillShortTxIDSelector();
     //TODO: Use our mempool prior to block acceptance to predictively fill more than just the coinbase
@@ -42,7 +42,7 @@ void CBlockHeaderAndShortTxIDs::FillShortTxIDSelector() const {
 
 uint64_t CBlockHeaderAndShortTxIDs::GetShortID(const uint256& txhash) const {
     static_assert(SHORTTXIDS_LENGTH == 6, "shorttxids calculation assumes 6-byte shorttxids");
-    return SipHashUint256(shorttxidk0, shorttxidk1, txhash) & 0xffffffffffffL;
+    return SipHashUint256(shorttxidk0, shorttxidk1, txhash) & 0xffL;
 }
 
 
diff --git a/src/test/fuzz/partially_downloaded_block.cpp b/src/test/fuzz/partially_downloaded_block.cpp
@@ -79,6 +79,7 @@ FUZZ_TARGET(partially_downloaded_block, .init = initialize_pdb)
         }
     }
 
+    extra_txn.emplace_back(uint256{}, nullptr);
     auto init_status{pdb.InitData(cmpctblock, extra_txn)};
 
     std::vector<CTransactionRef> missing;

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ FUZZ_TARGET(partially_downloaded_block, .init = initialize_pdb)`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`
	`82`	`+ extra_txn.emplace_back(uint256{}, nullptr);`
`82`	`83`	`auto init_status{pdb.InitData(cmpctblock, extra_txn)};`
`83`	`84`
`84`	`85`	`std::vector<CTransactionRef> missing;`