From 4fa79837ad19fada3a3df3fb490617f6ca4606e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A8le=20Oul=C3=A8s?= Date: Mon, 25 Jul 2022 18:45:43 +0200 Subject: [PATCH] psbt: Fix unsigned integer overflow --- src/psbt.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/psbt.h b/src/psbt.h index c390bb67d38..eef7d7dd3b2 100644 --- a/src/psbt.h +++ b/src/psbt.h @@ -893,6 +893,9 @@ struct PSBTOutput s >> leaf_hashes; size_t after_hashes = s.size(); size_t hashes_len = before_hashes - after_hashes; + if (hashes_len > value_len) { + throw std::ios_base::failure("Output Taproot BIP32 keypath has an invalid length"); + } size_t origin_len = value_len - hashes_len; m_tap_bip32_paths.emplace(xonly, std::make_pair(leaf_hashes, DeserializeKeyOrigin(s, origin_len))); break;