Fix fuzzer crash while allocating keys for multi_a

Author: sanket1729

fuzz/fuzz_targets/roundtrip_miniscript_script.rs

@@ -35,3 +35,30 @@ fn main() {
         });
     }
 }
+
+#[cfg(test)]
+mod tests {
+    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+        let mut b = 0;
+        for (idx, c) in hex.as_bytes().iter().enumerate() {
+            b <<= 4;
+            match *c {
+                b'A'...b'F' => b |= c - b'A' + 10,
+                b'a'...b'f' => b |= c - b'a' + 10,
+                b'0'...b'9' => b |= c - b'0',
+                _ => panic!("Bad hex"),
+            }
+            if (idx & 1) == 1 {
+                out.push(b);
+                b = 0;
+            }
+        }
+    }
+
+    #[test]
+    fn duplicate_crash3() {
+        let mut a = Vec::new();
+        extend_vec_from_hex("1479002d00000020323731363342740000004000000000000000000000000000000000000063630004636363639c00000000000000000000", &mut a);
+        super::do_test(&a);
+    }
+}

fuzz/fuzz_targets/roundtrip_miniscript_str.rs

@@ -38,3 +38,30 @@ fn main() {
         });
     }
 }
+
+#[cfg(test)]
+mod tests {
+    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+        let mut b = 0;
+        for (idx, c) in hex.as_bytes().iter().enumerate() {
+            b <<= 4;
+            match *c {
+                b'A'...b'F' => b |= c - b'A' + 10,
+                b'a'...b'f' => b |= c - b'a' + 10,
+                b'0'...b'9' => b |= c - b'0',
+                _ => panic!("Bad hex"),
+            }
+            if (idx & 1) == 1 {
+                out.push(b);
+                b = 0;
+            }
+        }
+    }
+
+    #[test]
+    fn duplicate_crash() {
+        let mut a = Vec::new();
+        extend_vec_from_hex("1479002d00000020323731363342740000004000000000000000000000000000000000000063630004636363639c00000000000000000000", &mut a);
+        super::do_test(&a);
+    }
+}

src/lib.rs

@@ -481,6 +481,8 @@ pub enum Error {
     AddrError(bitcoin::util::address::Error),
     /// A `CHECKMULTISIG` opcode was preceded by a number > 20
     CmsTooManyKeys(u32),
+    /// A tapscript multi_a cannot support more than MAX_BLOCK_WEIGHT/32 keys
+    MultiATooManyKeys(u32),
     /// Encountered unprintable character in descriptor
     Unprintable(u8),
     /// expected character while parsing descriptor; didn't find one
@@ -673,6 +675,9 @@ impl fmt::Display for Error {
             Error::PubKeyCtxError(ref pk, ref ctx) => {
                 write!(f, "Pubkey error: {} under {} scriptcontext", pk, ctx)
             }
+            Error::MultiATooManyKeys(k) => {
+                write!(f, "MultiA too many keys {}", k)
+            }
         }
     }
 }

src/miniscript/decode.rs

@@ -17,6 +17,7 @@
 //! Functionality to parse a Bitcoin Script into a `Miniscript`
 //!
 
+use bitcoin::blockdata::constants::MAX_BLOCK_WEIGHT;
 use bitcoin::hashes::{hash160, ripemd160, sha256, sha256d, Hash};
 use std::marker::PhantomData;
 use std::{error, fmt};
@@ -489,6 +490,10 @@ pub fn parse<Ctx: ScriptContext>(
                     },
                     // MultiA
                     Tk::NumEqual, Tk::Num(k) => {
+                        // Check size before allocating keys
+                        if k > MAX_BLOCK_WEIGHT/32 {
+                            return Err(Error::MultiATooManyKeys(MAX_BLOCK_WEIGHT/32))
+                        }
                         let mut keys = Vec::with_capacity(k as usize); // atleast k capacity
                         while tokens.peek() == Some(&Tk::CheckSigAdd) {
                             match_token!(