tests: Add fuzzing harness for CScript operations

src/Makefile.test.include

@@ -61,6 +61,7 @@ FUZZ_TARGETS = \
   test/fuzz/script \
   test/fuzz/script_deserialize \
   test/fuzz/script_flags \
+  test/fuzz/script_ops \
   test/fuzz/service_deserialize \
   test/fuzz/spanparsing \
   test/fuzz/strprintf \
@@ -590,6 +591,12 @@ test_fuzz_script_flags_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_script_flags_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_script_flags_SOURCES = $(FUZZ_SUITE) test/fuzz/script_flags.cpp
 
+test_fuzz_script_ops_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_script_ops_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_script_ops_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_script_ops_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_script_ops_SOURCES = $(FUZZ_SUITE) test/fuzz/script_ops.cpp
+
 test_fuzz_service_deserialize_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES) -DSERVICE_DESERIALIZE=1
 test_fuzz_service_deserialize_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_service_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)

src/test/fuzz/script_ops.cpp

@@ -0,0 +1,67 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <script/script.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    CScript script = ConsumeScript(fuzzed_data_provider);
+    while (fuzzed_data_provider.remaining_bytes() > 0) {
+        switch (fuzzed_data_provider.ConsumeIntegralInRange(0, 7)) {
+        case 0:
+            script += ConsumeScript(fuzzed_data_provider);
+            break;
+        case 1:
+            script = script + ConsumeScript(fuzzed_data_provider);
+            break;
+        case 2:
+            script << fuzzed_data_provider.ConsumeIntegral<int64_t>();
+            break;
+        case 3:
+            script << ConsumeOpcodeType(fuzzed_data_provider);
+            break;
+        case 4:
+            script << ConsumeScriptNum(fuzzed_data_provider);
+            break;
+        case 5:
+            script << ConsumeRandomLengthByteVector(fuzzed_data_provider);
+            break;
+        case 6:
+            script.clear();
+            break;
+        case 7: {
+            (void)script.GetSigOpCount(false);
+            (void)script.GetSigOpCount(true);
+            (void)script.GetSigOpCount(script);
+            (void)script.HasValidOps();
+            (void)script.IsPayToScriptHash();
+            (void)script.IsPayToWitnessScriptHash();
+            (void)script.IsPushOnly();
+            (void)script.IsUnspendable();
+            {
+                CScript::const_iterator pc = script.begin();
+                opcodetype opcode;
+                (void)script.GetOp(pc, opcode);
+                std::vector<uint8_t> data;
+                (void)script.GetOp(pc, opcode, data);
+                (void)script.IsPushOnly(pc);
+            }
+            {
+                int version;
+                std::vector<uint8_t> program;
+                (void)script.IsWitnessProgram(version, program);
+            }
+            break;
+        }
+        }
+    }
+}