fuzz: Improve ConsumeTxDestination

* Assert when a type is missing * Add missing WitnessV1Taproot * Limit WitnessUnknown to version [2, 16], to avoid abiguity * Limit WitnessUnknown to size [2, 40], to avoid invalid sizes
2025-08-25 22:41:36 +02:00 · 2021-07-04 16:38:51 +02:00
parent fa40c0964b
commit fab99865c0
2 changed files with 14 additions and 5 deletions
--- a/src/test/fuzz/util.cpp
+++ b/src/test/fuzz/util.cpp
@@ -2,6 +2,7 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.

+#include <pubkey.h>
 #include <test/fuzz/util.h>
 #include <test/util/script.h>
 #include <util/rbf.h>
@@ -308,7 +309,7 @@ uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept
 CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) noexcept
 {
    CTxDestination tx_destination;
-    CallOneOf(
+    const size_t call_size{CallOneOf(
        fuzzed_data_provider,
        [&] {
            tx_destination = CNoDestination{};
@@ -325,13 +326,20 @@ CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) no
        [&] {
            tx_destination = WitnessV0KeyHash{ConsumeUInt160(fuzzed_data_provider)};
        },
+        [&] {
+            tx_destination = WitnessV1Taproot{XOnlyPubKey{ConsumeUInt256(fuzzed_data_provider)}};
+        },
        [&] {
            WitnessUnknown witness_unknown{};
-            witness_unknown.version = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
-            const std::vector<uint8_t> witness_unknown_program_1 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);
+            witness_unknown.version = fuzzed_data_provider.ConsumeIntegralInRange(2, 16);
+            std::vector<uint8_t> witness_unknown_program_1{fuzzed_data_provider.ConsumeBytes<uint8_t>(40)};
+            if (witness_unknown_program_1.size() < 2) {
+                witness_unknown_program_1 = {0, 0};
+            }
            witness_unknown.length = witness_unknown_program_1.size();
            std::copy(witness_unknown_program_1.begin(), witness_unknown_program_1.end(), witness_unknown.program);
            tx_destination = witness_unknown;
-        });
+        })};
+    Assert(call_size == std::variant_size_v<CTxDestination>);
    return tx_destination;
 }
--- a/src/test/fuzz/util.h
+++ b/src/test/fuzz/util.h
@@ -37,7 +37,7 @@
 #include <vector>

 template <typename... Callables>
-void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
+size_t CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
 {
    constexpr size_t call_size{sizeof...(callables)};
    static_assert(call_size >= 1);
@@ -45,6 +45,7 @@ void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)

    size_t i{0};
    ((i++ == call_index ? callables() : void()), ...);
+    return call_size;
 }

 template <typename Collection>