From fa8d56f9f092fceab7dfb10533c4187e1b5fabfe Mon Sep 17 00:00:00 2001
From: MarcoFalke <*~=`'#}+{/-|&$^_@721217.xyz>
Date: Thu, 8 Jan 2026 12:27:03 +0100
Subject: [PATCH] fuzz: Reject too large descriptor leaf sizes in
 scriptpubkeyman target

---
 src/test/fuzz/util/descriptor.cpp        | 20 ++++++++++++++++++++
 src/test/fuzz/util/descriptor.h          |  8 ++++++++
 src/wallet/test/fuzz/scriptpubkeyman.cpp |  1 +
 3 files changed, 29 insertions(+)

diff --git a/src/test/fuzz/util/descriptor.cpp b/src/test/fuzz/util/descriptor.cpp
index 4e563eac4d7..08ab7104c19 100644
--- a/src/test/fuzz/util/descriptor.cpp
+++ b/src/test/fuzz/util/descriptor.cpp
@@ -143,3 +143,23 @@ bool HasTooManyWrappers(std::span<const uint8_t> buff, const int max_wrappers)
 
     return false;
 }
+
+bool HasTooLargeLeafSize(std::span<const uint8_t> buff, const uint32_t max_leaf_size)
+{
+    uint32_t leaf_len{0};
+    for (auto c : buff) {
+        if (c == '(' || c == ')' || c == ',' || c == '{' || c == '}') {
+            // Possibly start a fresh leaf, or a fresh function name (with
+            // wrappers), or terminate a prior leaf.
+            leaf_len = 0;
+        } else {
+            // Just treat everything else as a leaf. This will also reject long
+            // function names, but this should be fine if the max_leaf_size is
+            // set large enough.
+            if (++leaf_len > max_leaf_size) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
diff --git a/src/test/fuzz/util/descriptor.h b/src/test/fuzz/util/descriptor.h
index 41605dd98d6..82cc967cb49 100644
--- a/src/test/fuzz/util/descriptor.h
+++ b/src/test/fuzz/util/descriptor.h
@@ -76,4 +76,12 @@ constexpr int MAX_WRAPPERS{100};
  */
 bool HasTooManyWrappers(std::span<const uint8_t> buff, int max_wrappers = MAX_WRAPPERS);
 
+/// Default maximum leaf size. This should be large enough to cover an extended
+/// key, including paths "/", inside and outside of "[]".
+constexpr uint32_t MAX_LEAF_SIZE{200};
+
+/// Whether the expanded buffer (after calling GetDescriptor() in
+/// MockedDescriptorConverter) has a leaf size too large.
+bool HasTooLargeLeafSize(std::span<const uint8_t> buff, uint32_t max_leaf_size = MAX_LEAF_SIZE);
+
 #endif // BITCOIN_TEST_FUZZ_UTIL_DESCRIPTOR_H
diff --git a/src/wallet/test/fuzz/scriptpubkeyman.cpp b/src/wallet/test/fuzz/scriptpubkeyman.cpp
index ff9d1cc0d33..deb1a57983d 100644
--- a/src/wallet/test/fuzz/scriptpubkeyman.cpp
+++ b/src/wallet/test/fuzz/scriptpubkeyman.cpp
@@ -66,6 +66,7 @@ static std::optional<std::pair<WalletDescriptor, FlatSigningProvider>> CreateWal
     if (IsTooExpensive(MakeUCharSpan(mocked_descriptor))) return {};
     const auto desc_str{MOCKED_DESC_CONVERTER.GetDescriptor(mocked_descriptor)};
     if (!desc_str.has_value()) return std::nullopt;
+    if (HasTooLargeLeafSize(MakeUCharSpan(*desc_str))) return {};
 
     FlatSigningProvider keys;
     std::string error;