Fix fuzz crashes (fixes #89)

kiminuo · kiminuo · commit cc7459c151b3 · 2020-05-27T08:39:42.000+02:00
* fix `thresh` and `multi` descriptors with no arguments
* fix roundtrip_concrete roundtrip for "older(03)"
* fix roundtrip_descriptor for "c:pk_k" ("pk" alias)
diff --git a/fuzz/fuzz_targets/roundtrip_descriptor.rs b/fuzz/fuzz_targets/roundtrip_descriptor.rs
@@ -9,7 +9,8 @@ fn do_test(data: &[u8]) {
     let s = String::from_utf8_lossy(data);
     if let Ok(desc) = Descriptor::<DummyKey>::from_str(&s) {
         let output = desc.to_string();
-        assert_eq!(s, output);
+        let normalize_aliases = s.replace("c:pk_k(", "pk(");
+        assert_eq!(normalize_aliases, output);
     }
 }
 
@@ -58,4 +59,11 @@ mod tests {
         extend_vec_from_hex("00", &mut a);
         super::do_test(&a);
     }
+
+    #[test]
+    fn test_cpkk_alias() {
+        let mut a = Vec::new();
+        extend_vec_from_hex("633a706b5f6b2829", &mut a); // c:pk_k()
+        super::do_test(&a);
+    }
 }
diff --git a/fuzz/fuzz_targets/roundtrip_policy.rs b/fuzz/fuzz_targets/roundtrip_policy.rs
@@ -64,4 +64,11 @@ mod tests {
         extend_vec_from_hex("00", &mut a);
         super::do_test(&a);
     }
+
+    #[test]
+    fn duplicate_crash_2() {
+        let mut a = Vec::new();
+        extend_vec_from_hex("746872657368", &mut a); // thresh
+        super::do_test(&a);
+    }
 }
diff --git a/src/descriptor/mod.rs b/src/descriptor/mod.rs
@@ -896,4 +896,22 @@ mod tests {
 
         assert_eq!(check, &Instruction::Op(OP_CSV))
     }
+
+    #[test]
+    fn empty_multi() {
+        let descriptor = Descriptor::<bitcoin::PublicKey>::from_str("multi");
+        assert_eq!(
+            descriptor.unwrap_err().to_string(),
+            "unexpected «no arguments given»"
+        )
+    }
+
+    #[test]
+    fn empty_thresh() {
+        let descriptor = Descriptor::<bitcoin::PublicKey>::from_str("thresh");
+        assert_eq!(
+            descriptor.unwrap_err().to_string(),
+            "unexpected «no arguments given»"
+        )
+    }
 }
diff --git a/src/expression.rs b/src/expression.rs
@@ -127,6 +127,14 @@ impl<'a> Tree<'a> {
 
 /// Parse a string as a u32, for timelocks or thresholds
 pub fn parse_num(s: &str) -> Result<u32, Error> {
+    if s.len() > 1 {
+        let ch = s.chars().next().unwrap();
+        if ch < '1' || ch > '9' {
+            return Err(Error::Unexpected(
+                "Number must start with a digit 1-9".to_string(),
+            ));
+        }
+    }
     u32::from_str(s).map_err(|_| errstr(s))
 }
 
@@ -172,3 +180,19 @@ where
         Err(errstr(term.name))
     }
 }
+
+#[cfg(test)]
+mod tests {
+
+    use super::parse_num;
+
+    #[test]
+    fn test_parse_num() {
+        assert!(parse_num("0").is_ok());
+        assert!(parse_num("00").is_err());
+        assert!(parse_num("0000").is_err());
+        assert!(parse_num("06").is_err());
+        assert!(parse_num("+6").is_err());
+        assert!(parse_num("-6").is_err());
+    }
+}
diff --git a/src/miniscript/astelem.rs b/src/miniscript/astelem.rs
@@ -429,8 +429,11 @@ where
                 Ok(expr)
             }
             ("thresh", n) => {
+                if n == 0 {
+                    return Err(errstr("no arguments given"));
+                }
                 let k = expression::terminal(&top.args[0], expression::parse_num)? as usize;
-                if n == 0 || k > n - 1 {
+                if k > n - 1 {
                     return Err(errstr("higher threshold than there are subexpressions"));
                 }
                 if n == 1 {
@@ -445,8 +448,11 @@ where
                 Ok(Terminal::Thresh(k, subs?))
             }
             ("multi", n) => {
+                if n == 0 {
+                    return Err(errstr("no arguments given"));
+                }
                 let k = expression::terminal(&top.args[0], expression::parse_num)? as usize;
-                if n == 0 || k > n - 1 {
+                if k > n - 1 {
                     return Err(errstr("higher threshold than there were keys in multi"));
                 }
 
diff --git a/src/policy/semantic.rs b/src/policy/semantic.rs
@@ -254,6 +254,9 @@ where
                 Ok(Policy::Or(subs))
             }
             ("thresh", nsubs) => {
+                if nsubs == 0 {
+                    return Err(errstr("thresh without args"));
+                }
                 if !top.args[0].args.is_empty() {
                     return Err(errstr(top.args[0].args[0].name));
                 }

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@ fn do_test(data: &[u8]) {`
`9`	`9`	`let s = String::from_utf8_lossy(data);`
`10`	`10`	`if let Ok(desc) = Descriptor::<DummyKey>::from_str(&s) {`
`11`	`11`	`let output = desc.to_string();`
`12`		`- assert_eq!(s, output);`
	`12`	`+ let normalize_aliases = s.replace("c:pk_k(", "pk(");`
	`13`	`+ assert_eq!(normalize_aliases, output);`
`13`	`14`	`}`
`14`	`15`	`}`
`15`	`16`
`@@ -58,4 +59,11 @@ mod tests {`
`58`	`59`	`extend_vec_from_hex("00", &mut a);`
`59`	`60`	`super::do_test(&a);`
`60`	`61`	`}`
	`62`	`+`
	`63`	`+ #[test]`
	`64`	`+ fn test_cpkk_alias() {`
	`65`	`+ let mut a = Vec::new();`
	`66`	`+ extend_vec_from_hex("633a706b5f6b2829", &mut a); // c:pk_k()`
	`67`	`+ super::do_test(&a);`
	`68`	`+ }`
`61`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,4 +64,11 @@ mod tests {`
`64`	`64`	`extend_vec_from_hex("00", &mut a);`
`65`	`65`	`super::do_test(&a);`
`66`	`66`	`}`
	`67`	`+`
	`68`	`+ #[test]`
	`69`	`+ fn duplicate_crash_2() {`
	`70`	`+ let mut a = Vec::new();`
	`71`	`+ extend_vec_from_hex("746872657368", &mut a); // thresh`
	`72`	`+ super::do_test(&a);`
	`73`	`+ }`
`67`	`74`	`}`
Original file line number	Diff line number	Diff line change
`@@ -429,8 +429,11 @@ where`
`429`	`429`	`Ok(expr)`
`430`	`430`	`}`
`431`	`431`	`("thresh", n) => {`
	`432`	`+ if n == 0 {`
	`433`	`+ return Err(errstr("no arguments given"));`
	`434`	`+ }`
`432`	`435`	`let k = expression::terminal(&top.args[0], expression::parse_num)? as usize;`
`433`		`- if n == 0 \|\| k > n - 1 {`
	`436`	`+ if k > n - 1 {`
`434`	`437`	`return Err(errstr("higher threshold than there are subexpressions"));`
`435`	`438`	`}`
`436`	`439`	`if n == 1 {`
`@@ -445,8 +448,11 @@ where`
`445`	`448`	`Ok(Terminal::Thresh(k, subs?))`
`446`	`449`	`}`
`447`	`450`	`("multi", n) => {`
	`451`	`+ if n == 0 {`
	`452`	`+ return Err(errstr("no arguments given"));`
	`453`	`+ }`
`448`	`454`	`let k = expression::terminal(&top.args[0], expression::parse_num)? as usize;`
`449`		`- if n == 0 \|\| k > n - 1 {`
	`455`	`+ if k > n - 1 {`
`450`	`456`	`return Err(errstr("higher threshold than there were keys in multi"));`
`451`	`457`	`}`
`452`	`458`
Original file line number	Diff line number	Diff line change
`@@ -254,6 +254,9 @@ where`
`254`	`254`	`Ok(Policy::Or(subs))`
`255`	`255`	`}`
`256`	`256`	`("thresh", nsubs) => {`
	`257`	`+ if nsubs == 0 {`
	`258`	`+ return Err(errstr("thresh without args"));`
	`259`	`+ }`
`257`	`260`	`if !top.args[0].args.is_empty() {`
`258`	`261`	`return Err(errstr(top.args[0].args[0].name));`
`259`	`262`	`}`