From 166be674072c30570418edb9348820dff5d9139f Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Sun, 8 Dec 2019 13:17:21 -0500 Subject: [PATCH] Merge #17685: tests: Fix bug in the descriptor parsing fuzzing harness (descriptor_parse) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 6338c0203416a5f86e9422b6cd479da8af277f2f tests: Fix fuzzing harness for descriptor parsing (descriptor_parse) (practicalswift) Pull request description: Fix bug in the descriptor parsing fuzzing harness (`descriptor_parse`) by making sure `secp256k1_context_verify` is properly initialized (via `ECCVerifyHandle`). Background: When fuzzing `Parse(…)` with `libFuzzer` I eventually reached the test case `combo(020000000000000000000000000000000000000000000000000000000000000000)`. That input triggers a call to `CPubKey::IsFullyValid()` which in turns requires an initialized `secp256k1_context_verify`. The fuzzing harness did not fulfil that pre-condition prior to this commit (sorry, my fault!) :) Before: ``` $ mkdir descriptors/ $ echo -n 'combo(020000000000000000000000000000000000000000000000000000000000000000)' > descriptors/input $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" src/test/fuzz/descriptor_parse -runs=1 descriptors/ … pubkey.cpp:210:38: runtime error: null pointer passed as argument 1, which is declared to never be null secp256k1/include/secp256k1.h:305:3: note: nonnull attribute specified here #0 0x561c032ccf25 in CPubKey::IsFullyValid() const src/pubkey.cpp:210:12 #1 0x561c022139c3 in (anonymous namespace)::ParsePubkeyInner(Span const&, bool, FlatSigningProvider&, std::__cxx11::basic_string, std::allocator >&) src/script/descriptor.cpp:674:24 #2 0x561c02207680 in (anonymous namespace)::ParsePubkey(Span const&, bool, FlatSigningProvider&, std::__cxx11::basic_string, std::allocator >&) src/script/descriptor.cpp:730:42 #3 0x561c0220080e in (anonymous namespace)::ParseScript(Span&, (anonymous namespace)::ParseScriptContext, FlatSigningProvider&, std::__cxx11::basic_string, std::allocator >&) src/script/descriptor.cpp:774:23 #4 0x561c021ffb07 in Parse(std::__cxx11::basic_string, std::allocator > const&, FlatSigningProvider&, std::__cxx11::basic_string, std::allocator >&, bool) src/script/descriptor.cpp:994:16 #5 0x561c0218d5d4 in test_one_input(std::vector > const&) src/test/fuzz/descriptor_parse.cpp:20:9 … $ ``` After: ``` $ mkdir descriptors/ $ echo -n 'combo(020000000000000000000000000000000000000000000000000000000000000000)' > descriptors/input $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" src/test/fuzz/descriptor_parse -runs=1 descriptors/ … Done 2 runs in 0 second(s) $ ``` ACKs for top commit: paymog: ACK 6338c0203416a5f86e9422b6cd479da8af277f2f MarcoFalke: ACK 6338c0203416a5f86e9422b6cd479da8af277f2f 🕊 Tree-SHA512: bf24c404e1f64183761b057d2f210c3db85277f4415122977c315d7d6835acb5e897b5d64032615e9e44ad4a16dfe857e94481f6e4b57b6dfa8cb37adb2528a5 --- src/test/fuzz/descriptor_parse.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/test/fuzz/descriptor_parse.cpp b/src/test/fuzz/descriptor_parse.cpp index 90c34c0ee8c98..83b41d5a322e3 100644 --- a/src/test/fuzz/descriptor_parse.cpp +++ b/src/test/fuzz/descriptor_parse.cpp @@ -4,12 +4,15 @@ #include #include +#include #include