UndefinedBehaviorSanitizer: stack-overflow in miniscript (descriptor_parse)

To reproduce:

```
wget https://github.com/bitcoin/bitcoin/files/9309619/crash-2f09727aed5aca089c341208564876bc9c096ebf.bin.not.txt
FUZZ=descriptor_parse ./src/test/fuzz/fuzz ./crash-2f09727aed5aca089c341208564876bc9c096ebf.bin.not.txt  -rss_limit_mb=1000
```

```
==119584==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffcf4e35ff8 (pc 0x55a9a0f40e0c bp 0x7ffcf4e36010 sp 0x7ffcf4e36000 T119584)
    #0 0x55a9a0f40e0c in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152
    #1 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
    #2 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
    #3 0x55a9a0f40eec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:155:6
    #4 0x55a9a0f40eec in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:730:11
    #5 0x55a9a0f40eec in std::__shared_ptr<miniscript::Node<unsigned int> const, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:1169:31
    #6 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:98:19
    #7 0x55a9a0f40eec in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:108:6
    #8 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:136:7
    #9 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:206:7
    #10 0x55a9a0f40eec in std::vector<std::shared_ptr<miniscript::Node<unsigned int> const>, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>>::~vector() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:677:2
    #11 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
    #12 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10
    #13 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
    #14 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
...
...
...
+/9/bits/stl_vector.h:677:2
    #1475 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
    #1476 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10
    #1477 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
    #1478 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
    #1479 0x55a9a0f40eec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:155:6
    #1480 0x55a9a0f40eec in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:730:11
    #1481 0x55a9a0f40eec in std::__shared_ptr<miniscript::Node<unsigned int> const, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:1169:31
    #1482 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:98:19
    #1483 0x55a9a0f40eec in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:108:6
    #1484 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:136:7
    #1485 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:206:7
    #1486 0x55a9a0f40eec in std::vector<std::shared_ptr<miniscript::Node<unsigned int> const>, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>>::~vector() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:677:2
    #1487 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
    #1488 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10

SUMMARY: UndefinedBehaviorSanitizer: stack-overflow /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152 in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*)
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

UndefinedBehaviorSanitizer: stack-overflow in miniscript (descriptor_parse) #25824

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

UndefinedBehaviorSanitizer: stack-overflow in miniscript (descriptor_parse) #25824

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions