Heap out-of-bounds read in Node::CalcOps when processing script OP_0 OP_2 OP_EQUAL

I'm afraid a carefully constructed script is able to trigger a heap out-of-bounds read in `Node::CalcOps`. 

The smallest Bitcoin script I've been able to construct that triggers this heap out-of-bounds read is `OP_0 OP_2 OP_EQUAL` (`00 52 87`).

`Node::CalcOps` appears to be reachable  via RPC calls `listunspent`, `scantxoutset` and `getaddressinfo`.

Code:

https://github.com/sipa/miniscript/blob/99fa147d89e1b9c285cf42277a9299b6686f5979/bitcoin/script/miniscript.h#L499-L510

Note that `k` is not necessarily within bounds.

Call graph:

* `listunspent/scantxoutset/getaddressinfo` → `InferDescriptor` → `InferScript` → `miniscript::FromScript` → `DecodeMulti` → `DecodeSingle` → `MakeNodeRef` → `Node ctor` → `Node::CalcOps`.

	case NodeType::THRESH: {
	uint32_t stat = 0;
	auto sats = Vector(internal::MaxInt<uint32_t>(0));
	for (const auto& sub : subs) {
	stat += sub->ops.stat + 1;
	auto next_sats = Vector(sats[0] + sub->ops.dsat);
	for (size_t j = 1; j < sats.size(); ++j) next_sats.push_back(Choose(sats[j] + sub->ops.dsat, sats[j - 1] + sub->ops.sat));
	next_sats.push_back(sats[sats.size() - 1] + sub->ops.sat);
	sats = std::move(next_sats);
	}
	return {stat, sats[k], sats[0]};
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Heap out-of-bounds read in Node::CalcOps when processing script OP_0 OP_2 OP_EQUAL #12

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Heap out-of-bounds read in Node::CalcOps when processing script OP_0 OP_2 OP_EQUAL #12

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions