Skip to content

Commit 3137573

Browse files
ddustinddustin
committed
PSBT: Fix compare to not mutate memory
PSBT changeset routines were using linearize_output which mutated the memory of the objects it was comparing. This commit fixes that and also cleans up the memory usage to be more clear and more guarentee there is no memory corruption. Changelog-None
1 parent 29942db commit 3137573

File tree

1 file changed

+25
-20
lines changed

1 file changed

+25
-20
lines changed

common/psbt_open.c

+25-20
Original file line numberDiff line numberDiff line change
@@ -61,14 +61,16 @@ static int compare_outputs_at(const struct output_set *a,
6161
}
6262

6363
static const u8 *linearize_input(const tal_t *ctx,
64-
const struct wally_psbt_input *in)
64+
const struct wally_psbt *parent,
65+
size_t index)
6566
{
67+
struct wally_psbt *copy = clone_psbt(NULL, parent);
6668
struct wally_psbt *psbt = create_psbt(NULL, 1, 0, 0);
69+
struct wally_psbt_input dummy_in;
6770
size_t byte_len;
6871

69-
psbt->inputs[0] = *in;
70-
psbt->num_inputs++;
71-
72+
dummy_in = psbt->inputs[0];
73+
psbt->inputs[0] = copy->inputs[index];
7274

7375
/* Sort the inputs, so serializing them is ok */
7476
wally_map_sort(&psbt->inputs[0].unknowns, 0);
@@ -88,25 +90,31 @@ static const u8 *linearize_input(const tal_t *ctx,
8890

8991
const u8 *bytes = psbt_get_bytes(ctx, psbt, &byte_len);
9092

91-
/* Hide the inputs we added, so it doesn't get freed */
92-
psbt->num_inputs--;
93+
psbt->inputs[0] = dummy_in;
94+
9395
tal_free(psbt);
96+
tal_free(copy);
97+
9498
return bytes;
9599
}
96100

97101
static const u8 *linearize_output(const tal_t *ctx,
98-
const struct wally_psbt_output *out)
102+
const struct wally_psbt *parent,
103+
size_t index)
99104
{
100-
struct wally_psbt *psbt = create_psbt(NULL, 1, 1, 0);
105+
struct wally_psbt *copy = clone_psbt(NULL, parent);
106+
struct wally_psbt *psbt = create_psbt(NULL, 0, 1, 0);
107+
struct wally_psbt_output dummy_out;
101108
size_t byte_len;
102109
struct bitcoin_outpoint outpoint;
103110

104111
/* Add a 'fake' non-zero input so libwally will agree to linearize the tx */
105112
memset(&outpoint, 1, sizeof(outpoint));
106113
psbt_append_input(psbt, &outpoint, 0, NULL, NULL, NULL);
107114

108-
psbt->outputs[0] = *out;
109-
psbt->num_outputs++;
115+
dummy_out = psbt->outputs[0];
116+
psbt->outputs[0] = copy->outputs[index];
117+
110118
/* Sort the outputs, so serializing them is ok */
111119
wally_map_sort(&psbt->outputs[0].unknowns, 0);
112120

@@ -120,9 +128,10 @@ static const u8 *linearize_output(const tal_t *ctx,
120128

121129
const u8 *bytes = psbt_get_bytes(ctx, psbt, &byte_len);
122130

123-
/* Hide the outputs we added, so it doesn't get freed */
124-
psbt->num_outputs--;
131+
psbt->outputs[0] = dummy_out;
125132
tal_free(psbt);
133+
tal_free(copy);
134+
126135
return bytes;
127136
}
128137

@@ -131,10 +140,8 @@ static bool input_identical(const struct wally_psbt *a,
131140
const struct wally_psbt *b,
132141
size_t b_index)
133142
{
134-
const u8 *a_in = linearize_input(tmpctx,
135-
&a->inputs[a_index]);
136-
const u8 *b_in = linearize_input(tmpctx,
137-
&b->inputs[b_index]);
143+
const u8 *a_in = linearize_input(tmpctx, a, a_index);
144+
const u8 *b_in = linearize_input(tmpctx, b, b_index);
138145

139146
return tal_arr_eq(a_in, b_in);
140147
}
@@ -144,10 +151,8 @@ static bool output_identical(const struct wally_psbt *a,
144151
const struct wally_psbt *b,
145152
size_t b_index)
146153
{
147-
const u8 *a_out = linearize_output(tmpctx,
148-
&a->outputs[a_index]);
149-
const u8 *b_out = linearize_output(tmpctx,
150-
&b->outputs[b_index]);
154+
const u8 *a_out = linearize_output(tmpctx, a, a_index);
155+
const u8 *b_out = linearize_output(tmpctx, b, b_index);
151156
return tal_arr_eq(a_out, b_out);
152157
}
153158

0 commit comments

Comments
 (0)