From eb66bf9bdd5ae20c546314eb2c494ac09929970f Mon Sep 17 00:00:00 2001 From: Awemany Date: Tue, 28 Mar 2017 14:52:59 +0200 Subject: [PATCH] bitcoin-tx: Fix missing range check The number of arguments is not checked MutateTxAddOutAddr(..), meaning that > ./bitcoin-tx -create outaddr= accessed the vStrInputParts vector beyond its bounds. This also includes work by jnewbery to check the inputs for MutateTxAddPubKey() --- src/bitcoin-tx.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/bitcoin-tx.cpp b/src/bitcoin-tx.cpp index 61e0eb74e6..83b855cbcf 100644 --- a/src/bitcoin-tx.cpp +++ b/src/bitcoin-tx.cpp @@ -242,6 +242,9 @@ static void MutateTxAddOutAddr(CMutableTransaction& tx, const std::string& strIn std::vector vStrInputParts; boost::split(vStrInputParts, strInput, boost::is_any_of(":")); + if (vStrInputParts.size() != 2) + throw std::runtime_error("TX output missing or too many separators"); + // Extract and validate VALUE CAmount value = ExtractAndValidateValue(vStrInputParts[0]); @@ -264,6 +267,9 @@ static void MutateTxAddOutPubKey(CMutableTransaction& tx, const std::string& str std::vector vStrInputParts; boost::split(vStrInputParts, strInput, boost::is_any_of(":")); + if (vStrInputParts.size() < 2 || vStrInputParts.size() > 3) + throw std::runtime_error("TX output missing or too many separators"); + // Extract and validate VALUE CAmount value = ExtractAndValidateValue(vStrInputParts[0]);