Merge bitcoin/bitcoin#29176: wallet: Fix use-after-free in WalletBatch::EraseRecords

faebf1df2a wallet: Fix use-after-free in WalletBatch::EraseRecords (MarcoFalke) Pull request description: Creating a copy of the pointer to the underlying data of the stream is not enough to copy the data. Currently this happens to work sometimes, because the stream may not immediately free unused memory. However, there is no guarantee by the stream interface to always behave this way. Also, if `vector::clear` is called on the underlying memory, any pointers to it are invalid. Fix this, by creating a full copy of all bytes. ACKs for top commit: achow101: ACK faebf1df2a Tree-SHA512: 79ede9bc16cf257609545597bc6d9623ceead4531780ea6037cc5684aa3a7c7d80601354d315358defe47193f978a8ce40c5dc4637e32936c76157679b549ac5
2026-01-18 22:35:39 +01:00 · 2024-01-04 10:11:22 -05:00
parent 65c05db660 faebf1df2a
commit d84f736ba1
1 changed files with 2 additions and 2 deletions
--- a/src/wallet/walletdb.cpp
+++ b/src/wallet/walletdb.cpp
@@ -1401,13 +1401,13 @@ bool WalletBatch::EraseRecords(const std::unordered_set<std::string>& types)
        }

        // Make a copy of key to avoid data being deleted by the following read of the type
-        Span key_data{key};
+        const SerializeData key_data{key.begin(), key.end()};

        std::string type;
        key >> type;

        if (types.count(type) > 0) {
-            if (!m_batch->Erase(key_data)) {
+            if (!m_batch->Erase(Span{key_data})) {
                cursor.reset(nullptr);
                m_batch->TxnAbort();
                return false; // erase failed