Read past end of array in AcceptBlock #2934

issue jeremysawicki opened this issue on August 24, 2013
  1. jeremysawicki commented at 8:44 PM on August 24, 2013: none

    This line in AcceptBlock can read past the end of scriptSig:

    if (!std::equal(expect.begin(), expect.end(), block.vtx[0].vin[0].scriptSig.begin()))

    A malicious block could potentially cause a node to access an invalid memory address, causing a crash.

    More subtly, a malicious block that omits the final byte of the block height could have a 1 in 256 chance of being accepted as valid if the garbage byte past the end of the scriptSig happens to have the right value. By sending the same block to a node repeatedly, it may be possible to get the node to accept the invalid block with high probability.

  2. sipa closed this on Aug 25, 2013
  3. Bushstar referenced this in commit d3bd9b633e on Apr 8, 2020
  4. MarcoFalke locked this on Sep 8, 2021
Contributors
jeremysawicki
Linked (view graph)
#2935 Fix out-of-bounds check
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-19 12:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me