fuzz: rule-out too deep derivation paths in descriptor parsing targets

This fixes the reported timeouts and direct the target cycles toward what it's intended to fuzz: the descriptor syntax.
2026-04-20 11:49:07 +02:00 · 2023-11-09 14:53:15 +01:00
parent 4b1196a985
commit a44808fb43
4 changed files with 44 additions and 0 deletions
--- a/src/test/fuzz/descriptor_parse.cpp
+++ b/src/test/fuzz/descriptor_parse.cpp
@@ -67,6 +67,11 @@ void initialize_mocked_descriptor_parse()

 FUZZ_TARGET(mocked_descriptor_parse, .init = initialize_mocked_descriptor_parse)
 {
+    // Key derivation is expensive. Deriving deep derivation paths take a lot of compute and we'd
+    // rather spend time elsewhere in this target, like on the actual descriptor syntax. So rule
+    // out strings which could correspond to a descriptor containing a too large derivation path.
+    if (HasDeepDerivPath(buffer)) return;
+
    const std::string mocked_descriptor{buffer.begin(), buffer.end()};
    if (const auto descriptor = MOCKED_DESC_CONVERTER.GetDescriptor(mocked_descriptor)) {
        FlatSigningProvider signing_provider;
@@ -78,6 +83,9 @@ FUZZ_TARGET(mocked_descriptor_parse, .init = initialize_mocked_descriptor_parse)

 FUZZ_TARGET(descriptor_parse, .init = initialize_descriptor_parse)
 {
+    // See comment above for rationale.
+    if (HasDeepDerivPath(buffer)) return;
+
    const std::string descriptor(buffer.begin(), buffer.end());
    FlatSigningProvider signing_provider;
    std::string error;