Merge bitcoin/bitcoin#28968: fuzz: Fix nullptr deref in scriptpubkeyman

faecde9 fuzz: Fix nullptr deref in scriptpubkeyman (MarcoFalke) Pull request description: This should fix the UB that was found by review (bitcoin/bitcoin#28578 (comment)) and by fuzzing (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64487) ACKs for top commit: dergoegge: utACK faecde9 brunoerg: crACK faecde9 Tree-SHA512: ff726ed632d8d369c96d316bafebe87ff385e47b74b1d1da79409ddf296559eb991431883858057527e5df2414c01812ecbc99c21c69020228b0747f32b03121
bitcoin-core · Nov 29, 2023 · d00d50e · d00d50e
2 parents 8cf2137 + faecde9
commit d00d50e
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 5 deletions.
diff --git a/src/test/util/setup_common.h b/src/test/util/setup_common.h
@@ -5,14 +5,14 @@
 #ifndef BITCOIN_TEST_UTIL_SETUP_COMMON_H
 #define BITCOIN_TEST_UTIL_SETUP_COMMON_H
 
-#include <common/args.h>
+#include <common/args.h> // IWYU pragma: export
 #include <key.h>
 #include <node/caches.h>
 #include <node/context.h> // IWYU pragma: export
 #include <primitives/transaction.h>
 #include <pubkey.h>
 #include <stdexcept>
-#include <util/chaintype.h>
+#include <util/chaintype.h> // IWYU pragma: export
 #include <util/check.h>
 #include <util/fs.h>
 #include <util/string.h>

diff --git a/src/wallet/test/fuzz/scriptpubkeyman.cpp b/src/wallet/test/fuzz/scriptpubkeyman.cpp
@@ -2,16 +2,37 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
+#include <addresstype.h>
 #include <chainparams.h>
-#include <validation.h>
+#include <coins.h>
+#include <key.h>
+#include <primitives/transaction.h>
+#include <psbt.h>
+#include <script/descriptor.h>
+#include <script/interpreter.h>
+#include <script/script.h>
+#include <script/signingprovider.h>
+#include <sync.h>
 #include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
 #include <test/fuzz/util.h>
 #include <test/fuzz/util/descriptor.h>
 #include <test/util/setup_common.h>
+#include <util/check.h>
+#include <util/translation.h>
+#include <validation.h>
 #include <wallet/scriptpubkeyman.h>
-#include <wallet/wallet.h>
 #include <wallet/test/util.h>
+#include <wallet/types.h>
+#include <wallet/wallet.h>
+#include <wallet/walletutil.h>
+
+#include <map>
+#include <memory>
+#include <optional>
+#include <string>
+#include <utility>
+#include <variant>
 
 namespace wallet {
 namespace {
@@ -99,7 +120,9 @@ FUZZ_TARGET(scriptpubkeyman, .init = initialize_spkm)
                     bool extract_dest{ExtractDestination(spk, dest)};
                     if (extract_dest) {
                         const std::string msg{fuzzed_data_provider.ConsumeRandomLengthString()};
-                        PKHash pk_hash{fuzzed_data_provider.ConsumeBool() ? PKHash{ConsumeUInt160(fuzzed_data_provider)} : *std::get_if<PKHash>(&dest)};
+                        PKHash pk_hash{std::get_if<PKHash>(&dest) && fuzzed_data_provider.ConsumeBool() ?
+                                           *std::get_if<PKHash>(&dest) :
+                                           PKHash{ConsumeUInt160(fuzzed_data_provider)}};
                         std::string str_sig;
                         (void)spk_manager->SignMessage(msg, pk_hash, str_sig);
                     }