fuzz: package_rbf crashes after out-of-range memory read #32121

1. 
   maflcko commented at 6:24 AM on March 22, 2025: member

   Diff to reproduce (turns UB into a runtime exception):

   diff --git a/src/test/fuzz/rbf.cpp b/src/test/fuzz/rbf.cpp
   index 3e5b361186..74099f770d 100644
   --- a/src/test/fuzz/rbf.cpp
   +++ b/src/test/fuzz/rbf.cpp
   @@ -118,7 +118,7 @@ FUZZ_TARGET(package_rbf, .init = initialize_package_rbf)
        }
        assert(iter <= g_outpoints.size());
        replacement_tx->vin.resize(1);
   -    replacement_tx->vin[0].prevout = g_outpoints[iter++];
   +    replacement_tx->vin[0].prevout = g_outpoints.at(iter++);
        CTransaction replacement_tx_final{*replacement_tx};
        auto replacement_entry = ConsumeTxMemPoolEntry(fuzzed_data_provider, replacement_tx_final);
        int32_t replacement_vsize = replacement_entry.GetTxSize();
   @@ -132,7 +132,7 @@ FUZZ_TARGET(package_rbf, .init = initialize_package_rbf)
            CMutableTransaction parent;
            assert(iter <= g_outpoints.size());
            parent.vin.resize(1);
   -        parent.vin[0].prevout = g_outpoints[iter++];
   +        parent.vin[0].prevout = g_outpoints.at(iter++);
            parent.vout.emplace_back(0, CScript());
    
            mempool_txs.emplace_back(parent);
   

   Input to reproduce:

   • https://github.com/user-attachments/files/19401119/package_rbf.crash.not.txt

   Command to reproduce:

   $ FUZZ=package_rbf ./bld-cmake/bin/fuzz ./package_rbf.crash.not.txt 
   
   terminate called after throwing an instance of 'std::out_of_range'
     what():  vector::_M_range_check: __n (which is 10000) >= this->size() (which is 10000)
   

2. maflcko added this to the milestone 29.0 on Mar 22, 2025
3. maflcko added the label Tests on Mar 22, 2025
4. glozow closed this on Mar 25, 2025

   ---

5. glozow referenced this in commit c0b7159de4 on Mar 25, 2025

Milestone
29.0