extended keys: fail to derive too large depth instead of wrapping around

This issue was reported to me by Marco Falke, and found with the descriptor_parse fuzz target.
2025-10-10 19:43:13 +02:00 · 2022-07-19 11:58:16 +02:00
parent 8dc6670ce1
commit fb9faffae3
3 changed files with 20 additions and 0 deletions
--- a/src/pubkey.cpp
+++ b/src/pubkey.cpp
@@ -365,6 +365,7 @@ void CExtPubKey::DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VE
 }

 bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
+    if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
    out.nDepth = nDepth + 1;
    CKeyID id = pubkey.GetID();
    memcpy(out.vchFingerprint, &id, 4);