bitcoinfuzz icon indicating copy to clipboard operation
bitcoinfuzz copied to clipboard
verified publisher icon brunoerg

psbt: crash on checking key type

Open brunoerg opened this issue 1 year ago • 4 comments

We just got a crash on psbt target. rust-miniscript successfully deserializes a PSBT while Bitcoin Core fails due to ReadCompactSize(): size too large. This failure happens during key type checking.

// Type is compact size uint at beginning of key
SpanReader skey{key};
uint64_t type = ReadCompactSize(skey);

Base64: cHNidP8BABwAAAAFAAL9///+/wAAAAAALwBzYnT/AQAAAQEAdP90/wEAHAAAAAUAAv3///4B///Q////xgBzYnT/AQEAAC0AHAAx/3V0LakrcP8BdP8BAAAB/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD3/Mf91L62pK6k=

brunoerg avatar Jun 18 '24 17:06 brunoerg

Hello, I tried to find the root cause of this bug and there seem to be atleast 2 issues present:

  1. Rust-Bitcoin seems to assume that type_value is u8 which is wrong. According to the documentation, it should be a VarInt(check keytype documentation in specification)
  2. This check seems to be missing.

hax0kartik avatar Jun 18 '24 22:06 hax0kartik

cc: @apoelstra

brunoerg avatar Jun 19 '24 09:06 brunoerg

Thanks for finding this! I have subscribed to the repo so you hopefully won't need to ping me in future.

This looks reasonably straightforward to fix although it will involve prodding the psbt module which is in a state of limbo as we explore rewriting it.

apoelstra avatar Jun 19 '24 13:06 apoelstra

Thank you, @apoelstra.

brunoerg avatar Jun 19 '24 14:06 brunoerg

Closed as resolved. All impl has fixed it.

brunoerg avatar Nov 04 '24 20:11 brunoerg