kernel: fail closed on invalid C API caller inputs #35339

issue fallintoplace opened this issue on May 20, 2026
  1. fallintoplace commented at 10:15 PM on May 20, 2026: none

    Several exported libbitcoinkernel C API functions currently rely on assertions for caller-provided runtime inputs, including transaction/block index accessors, script verification flags and input indexes, precomputed transaction data spent-output arrays, and block undo accessors.

    The public header describes error reporting through return values and status out parameters. For external callers, invalid runtime input should fail closed with nullptr, 0, or a specific status rather than terminating the process through an assertion.

    Examples of affected areas:

    • btck_transaction_get_output_at and btck_transaction_get_input_at
    • btck_script_pubkey_verify
    • btck_precomputed_transaction_data_create
    • btck_block_get_transaction_at
    • btck_block_spent_outputs_get_transaction_spent_outputs_at
    • btck_transaction_spent_outputs_get_coin_at

    Expected behavior:

    • Out-of-range accessor indexes return nullptr.
    • Unsupported script verification flag bits return 0 and set a status.
    • Out-of-range script verification input indexes return 0 and set a status.
    • Malformed spent-output arrays return nullptr.

    This would make the experimental C API more robust for external consumers while preserving the existing non-null handle preconditions.

Contributors
fallintoplace
Linked (view graph)
#35340 kernel: validate C API inputs
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-21 00:51 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me