fix: the der signature parsing code in pubkey in pubkey.cpp #35178

pull orbisai0security wants to merge 1 commits into bitcoin:master from orbisai0security:fix-v-002-ecdsa-der-buffer-bounds-check changing 1 files +2 −0

orbisai0security commented at 7:32 AM on April 29, 2026: none
Summary

Fix critical severity security issue in src/pubkey.cpp.

Vulnerability

Field Value

ID V-002

Severity CRITICAL

Scanner multi_agent_ai

Rule V-002

File src/pubkey.cpp:160

Description: The DER signature parsing code in pubkey.cpp copies the r and s components of an ECDSA signature into a fixed 64-byte stack buffer (tmpsig) using memcpy. The destination offsets are computed as (tmpsig + 32 - rlen) and (tmpsig + 64 - slen). If rlen or slen exceed 32, the arithmetic produces a pointer before the start of the buffer (pointer underflow), writing attacker-controlled bytes to arbitrary stack or heap memory before tmpsig. No bounds check on rlen/slen against the value 32 is present in the reported code.

Changes
- src/pubkey.cpp
Verification
- Build passes
- Scanner re-scan confirms fix
- LLM code review passed
Automated security fix by OrbisAI Security

Field	Value
ID	V-002
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	`V-002`
File	`src/pubkey.cpp:160`

fix: V-002 security vulnerability

Automated security fix generated by Orbis Security AI

1c2577d8b9

DrahtBot commented at 7:33 AM on April 29, 2026: contributor



The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.



Reviews

See the guideline for information on the review process. A summary of reviews will appear here.
maflcko commented at 7:36 AM on April 29, 2026: member

ai slop
maflcko closed this on Apr 29, 2026

Contributors

orbisai0security

DrahtBot

maflcko

fix: the der signature parsing code in pubkey in pubkey.cpp #35178

Summary

Vulnerability

Changes

Verification

Reviews