fuzz: Improve ConsumeTxDestination

* Assert when a type is missing * Add missing WitnessV1Taproot * Limit WitnessUnknown to version [2, 16], to avoid abiguity * Limit WitnessUnknown to size [2, 40], to avoid invalid sizes
buzzeins · Jul 4, 2021 · fab9986 · fab9986
1 parent fa40c09
commit fab9986
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/src/test/fuzz/util.cpp b/src/test/fuzz/util.cpp
@@ -2,6 +2,7 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
+#include <pubkey.h>
 #include <test/fuzz/util.h>
 #include <test/util/script.h>
 #include <util/rbf.h>
@@ -308,7 +309,7 @@ uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept
 CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) noexcept
 {
     CTxDestination tx_destination;
-    CallOneOf(
+    const size_t call_size{CallOneOf(
         fuzzed_data_provider,
         [&] {
             tx_destination = CNoDestination{};
@@ -325,13 +326,20 @@ CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) no
         [&] {
             tx_destination = WitnessV0KeyHash{ConsumeUInt160(fuzzed_data_provider)};
         },
+        [&] {
+            tx_destination = WitnessV1Taproot{XOnlyPubKey{ConsumeUInt256(fuzzed_data_provider)}};
+        },
         [&] {
             WitnessUnknown witness_unknown{};
-            witness_unknown.version = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
-            const std::vector<uint8_t> witness_unknown_program_1 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);
+            witness_unknown.version = fuzzed_data_provider.ConsumeIntegralInRange(2, 16);
+            std::vector<uint8_t> witness_unknown_program_1{fuzzed_data_provider.ConsumeBytes<uint8_t>(40)};
+            if (witness_unknown_program_1.size() < 2) {
+                witness_unknown_program_1 = {0, 0};
+            }
             witness_unknown.length = witness_unknown_program_1.size();
             std::copy(witness_unknown_program_1.begin(), witness_unknown_program_1.end(), witness_unknown.program);
             tx_destination = witness_unknown;
-        });
+        })};
+    Assert(call_size == std::variant_size_v<CTxDestination>);
     return tx_destination;
 }
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
@@ -37,14 +37,15 @@
 #include <vector>
 
 template <typename... Callables>
-void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
+size_t CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
 {
     constexpr size_t call_size{sizeof...(callables)};
     static_assert(call_size >= 1);
     const size_t call_index{fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, call_size - 1)};
 
     size_t i{0};
     ((i++ == call_index ? callables() : void()), ...);
+    return call_size;
 }
 
 template <typename Collection>