Skip to content

[bug]: panic on ReadTaprootBip32Derivation #2372

New issue
New issue
Closed
#2374
Closed
[bug]: panic on ReadTaprootBip32Derivation#2372
#2374
Labels
bug
@brunoerg

Description

@brunoerg
brunoerg
opened on May 16, 2025

When parsing a PSBT, just got a panic due to makeslice: len out of range in ReadTaprootBip32Derivation. Perhaps due to LeafHashes: make([][]byte, int(numHashes)):

btcd/btcutil/psbt/taproot.go

Lines 118 to 133 in 1eb974a

if len(value) < (int(numHashes)*32)+5 {
return nil, ErrInvalidPsbtFormat
}
derivation := TaprootBip32Derivation{
XOnlyPubKey: xOnlyPubKey,
LeafHashes: make([][]byte, int(numHashes)),
}
for i := 0; i < int(numHashes); i++ {
derivation.LeafHashes[i] = make([]byte, 32)
n, err := reader.Read(derivation.LeafHashes[i])
if err != nil || n != 32 {
return nil, ErrInvalidPsbtFormat
}
}

Test to reproduce:

func TestPSBTCrash(t *testing.T) {
	hexString := "70736274ff01007374ff01030100000000002f0000002e2873007374ff01070100000000000000000000000000000000000000060680050000736274ff01000a0000000060c70006060000736274ff01000a000001000001002407010000000000000000000000000000000000000006060000736274ff01000a0000000000010024c760002a707362c760000b0500000000000000060605000073626274ff01000a00000000000100242121212121212121212121212121212121212121212121212121212121212121212121212107010000000000000000000000000000000000000006060000736274ff01000a000eff000001000a0a040404040404040400"
	// Convert hex string to byte slice
	buffer, err := hex.DecodeString(hexString)
	if err != nil {
		log.Fatalf("Failed to decode hex: %v", err)
	}
	psbt, err := NewFromRawBytes(bytes.NewBuffer(buffer), false)
	t.Logf("got transaction: %v", spew.Sdump(psbt.UnsignedTx))
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions