An overflow in `TapSatisfier::FromPKHBytes`? #28871

issue hebasto opened this issue on November 14, 2023
  1. hebasto commented at 12:28 PM on November 14, 2023: member

    In the master branch @ fb85bb277670aad28fef51b7313d4a96cdaa760f, the following code in the DecodeScript function: https://github.com/bitcoin/bitcoin/blob/fb85bb277670aad28fef51b7313d4a96cdaa760f/src/script/miniscript.h#L2312-L2313 explicitly passes 33 bytes to the TapSatisfier::FromPKHBytes function, which expects 32 bytes only: https://github.com/bitcoin/bitcoin/blob/fb85bb277670aad28fef51b7313d4a96cdaa760f/src/script/sign.cpp#L295-L302

  2. sipa commented at 12:30 PM on November 14, 2023: member

    Not an issue; if this runs in tapscript context, the code will bail out before reaching this line.

  3. hebasto commented at 12:35 PM on November 14, 2023: member

    Right. But a compiler might be not aware of that:

    /usr/include/c++/11/bits/stl_algobase.h:431: warning: '__builtin_memcpy' writing 33 bytes into a region of size 32 overflows the destination [-Wstringop-overflow=]
  431 |             __builtin_memmove(__result, __first, sizeof(_Tp) * _Num);
      | 
/usr/include/c++/11/bits/stl_algobase.h: In function 'DecodeScript':
script/sign.cpp:299:21: note: destination object 'pubkey' of size 32
  299 |         XOnlyPubKey pubkey;
      |                     ^
  4. fanquake commented at 2:00 PM on November 14, 2023: member

    I'm assuming this is with GCC 11 under LTO? I'd suggest using a newer, "smarter" compiler. The same warnings don't appear under GCC 13.

  5. hebasto closed this on Nov 14, 2023
  6. bitcoin locked this on Nov 13, 2024
Contributors
hebastosipafanquake
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-24 21:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me