Merge bitcoin/bitcoin#28968: fuzz: Fix nullptr deref in scriptpubkeyman

faecde9102 fuzz: Fix nullptr deref in scriptpubkeyman (MarcoFalke) Pull request description: This should fix the UB that was found by review (https://github.com/bitcoin/bitcoin/pull/28578#discussion_r1404246109) and by fuzzing (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64487) ACKs for top commit: dergoegge: utACK faecde9102 brunoerg: crACK faecde9102 Tree-SHA512: ff726ed632d8d369c96d316bafebe87ff385e47b74b1d1da79409ddf296559eb991431883858057527e5df2414c01812ecbc99c21c69020228b0747f32b03121
2025-02-08 10:31:50 -05:00 · 2023-11-29 17:02:25 +00:00 · 2023-11-29 17:02:25 +00:00 · d00d50e78a
commit d00d50e78a
parent 8cf2137dbe faecde9102
2 changed files with 28 additions and 5 deletions
--- a/src/test/util/setup_common.h
+++ b/src/test/util/setup_common.h
@ -5,14 +5,14 @@
 #ifndef BITCOIN_TEST_UTIL_SETUP_COMMON_H
 #define BITCOIN_TEST_UTIL_SETUP_COMMON_H

-#include <common/args.h>
+#include <common/args.h> // IWYU pragma: export
 #include <key.h>
 #include <node/caches.h>
 #include <node/context.h> // IWYU pragma: export
 #include <primitives/transaction.h>
 #include <pubkey.h>
 #include <stdexcept>
-#include <util/chaintype.h>
+#include <util/chaintype.h> // IWYU pragma: export
 #include <util/check.h>
 #include <util/fs.h>
 #include <util/string.h>
--- a/src/wallet/test/fuzz/scriptpubkeyman.cpp
+++ b/src/wallet/test/fuzz/scriptpubkeyman.cpp
@ -2,16 +2,37 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.

+#include <addresstype.h>
 #include <chainparams.h>
-#include <validation.h>
+#include <coins.h>
+#include <key.h>
+#include <primitives/transaction.h>
+#include <psbt.h>
+#include <script/descriptor.h>
+#include <script/interpreter.h>
+#include <script/script.h>
+#include <script/signingprovider.h>
+#include <sync.h>
 #include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
 #include <test/fuzz/util.h>
 #include <test/fuzz/util/descriptor.h>
 #include <test/util/setup_common.h>
+#include <util/check.h>
+#include <util/translation.h>
+#include <validation.h>
 #include <wallet/scriptpubkeyman.h>
-#include <wallet/wallet.h>
 #include <wallet/test/util.h>
+#include <wallet/types.h>
+#include <wallet/wallet.h>
+#include <wallet/walletutil.h>
+
+#include <map>
+#include <memory>
+#include <optional>
+#include <string>
+#include <utility>
+#include <variant>

 namespace wallet {
 namespace {
@ -99,7 +120,9 @@ FUZZ_TARGET(scriptpubkeyman, .init = initialize_spkm)
                    bool extract_dest{ExtractDestination(spk, dest)};
                    if (extract_dest) {
                        const std::string msg{fuzzed_data_provider.ConsumeRandomLengthString()};
-                        PKHash pk_hash{fuzzed_data_provider.ConsumeBool() ? PKHash{ConsumeUInt160(fuzzed_data_provider)} : *std::get_if<PKHash>(&dest)};
+                        PKHash pk_hash{std::get_if<PKHash>(&dest) && fuzzed_data_provider.ConsumeBool() ?
+                                           *std::get_if<PKHash>(&dest) :
+                                           PKHash{ConsumeUInt160(fuzzed_data_provider)}};
                        std::string str_sig;
                        (void)spk_manager->SignMessage(msg, pk_hash, str_sig);
                    }