Add rejection of non-null CHECKMULTISIG dummy values

This is a source of transaction mutability as the dummy value was previously not checked and could be modified to something other than the usual OP_0 value.
2026-01-20 15:19:07 +01:00 · 2014-03-10 17:36:35 -04:00
parent 29c17498a5
commit 6380180821
5 changed files with 63 additions and 5 deletions
--- a/src/script.cpp
+++ b/src/script.cpp
@@ -934,8 +934,22 @@ bool EvalScript(vector<vector<unsigned char> >& stack, const CScript& script, co
                            fSuccess = false;
                    }

-                    while (i-- > 0)
+                    // Clean up stack of actual arguments
+                    while (i-- > 1)
                        popstack(stack);
+
+                    // A bug causes CHECKMULTISIG to consume one extra argument
+                    // whose contents were not checked in any way.
+                    //
+                    // Unfortunately this is a potential source of mutability,
+                    // so optionally verify it is exactly equal to zero prior
+                    // to removing it from the stack.
+                    if (stack.size() < 1)
+                        return false;
+                    if ((flags & SCRIPT_VERIFY_NULLDUMMY) && stacktop(-1).size())
+                        return error("CHECKMULTISIG dummy argument not null");
+                    popstack(stack);
+
                    stack.push_back(fSuccess ? vchTrue : vchFalse);

                    if (opcode == OP_CHECKMULTISIGVERIFY)