fuzz: Improve ConsumeTxDestination

MarcoFalke · MarcoFalke · commit fab99865c0e6 · 2021-07-04T21:28:35.000+02:00
* Assert when a type is missing
* Add missing WitnessV1Taproot
* Limit WitnessUnknown to version [2, 16], to avoid abiguity
* Limit WitnessUnknown to size [2, 40], to avoid invalid sizes
diff --git a/src/test/fuzz/util.cpp b/src/test/fuzz/util.cpp
@@ -2,6 +2,7 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
+#include <pubkey.h>
 #include <test/fuzz/util.h>
 #include <test/util/script.h>
 #include <util/rbf.h>
@@ -308,7 +309,7 @@ uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept
 CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) noexcept
 {
     CTxDestination tx_destination;
-    CallOneOf(
+    const size_t call_size{CallOneOf(
         fuzzed_data_provider,
         [&] {
             tx_destination = CNoDestination{};
@@ -325,13 +326,20 @@ CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) no
         [&] {
             tx_destination = WitnessV0KeyHash{ConsumeUInt160(fuzzed_data_provider)};
         },
+        [&] {
+            tx_destination = WitnessV1Taproot{XOnlyPubKey{ConsumeUInt256(fuzzed_data_provider)}};
+        },
         [&] {
             WitnessUnknown witness_unknown{};
-            witness_unknown.version = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
-            const std::vector<uint8_t> witness_unknown_program_1 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);
+            witness_unknown.version = fuzzed_data_provider.ConsumeIntegralInRange(2, 16);
+            std::vector<uint8_t> witness_unknown_program_1{fuzzed_data_provider.ConsumeBytes<uint8_t>(40)};
+            if (witness_unknown_program_1.size() < 2) {
+                witness_unknown_program_1 = {0, 0};
+            }
             witness_unknown.length = witness_unknown_program_1.size();
             std::copy(witness_unknown_program_1.begin(), witness_unknown_program_1.end(), witness_unknown.program);
             tx_destination = witness_unknown;
-        });
+        })};
+    Assert(call_size == std::variant_size_v<CTxDestination>);
     return tx_destination;
 }
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
@@ -37,14 +37,15 @@
 #include <vector>
 
 template <typename... Callables>
-void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
+size_t CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
 {
     constexpr size_t call_size{sizeof...(callables)};
     static_assert(call_size >= 1);
     const size_t call_index{fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, call_size - 1)};
 
     size_t i{0};
     ((i++ == call_index ? callables() : void()), ...);
+    return call_size;
 }
 
 template <typename Collection>

Original file line number	Diff line number	Diff line change
`@@ -37,14 +37,15 @@`
`37`	`37`	`#include <vector>`
`38`	`38`
`39`	`39`	`template <typename... Callables>`
`40`		`-void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)`
	`40`	`+size_t CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)`
`41`	`41`	`{`
`42`	`42`	`constexpr size_t call_size{sizeof...(callables)};`
`43`	`43`	`static_assert(call_size >= 1);`
`44`	`44`	`const size_t call_index{fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, call_size - 1)};`
`45`	`45`
`46`	`46`	`size_t i{0};`
`47`	`47`	`((i++ == call_index ? callables() : void()), ...);`
	`48`	`+ return call_size;`
`48`	`49`	`}`
`49`	`50`
`50`	`51`	`template <typename Collection>`