Merge bitcoin#18413: script: prevent UB when computing abs value for num opcode serialize

fanquake · PastaPastaPasta · commit 81f64f711616 · 2023-12-03T20:01:26.000-06:00
2748e87 script: prevent UB when computing abs value for num opcode serialize (pierrenn) Pull request description: This was reported by practicalswift here bitcoin#18046 It seems that the original author of the line used a reference to glibc `abs`: https://github.com/lattera/glibc/blob/master/stdlib/abs.c However depending on some implementation details this can be undefined behavior for unusual values. A detailed explanation of the UB is provided here : https://stackoverflow.com/questions/17313579/is-there-a-safe-way-to-get-the-unsigned-absolute-value-of-a-signed-integer-with (by [Billy O'Neal](https://twitter.com/malwareminigun)) Simple relevant godbolt example : https://godbolt.org/z/yRwtCG Thanks! ACKs for top commit: sipa: ACK 2748e87 MarcoFalke: ACK 2748e87, only checked that the bitcoind binary does not change with clang -O2 🎓 practicalswift: ACK 2748e87 Tree-SHA512: 539a34c636c2674c66cb6e707d9d0dfdce63f59b5525610ed88da10c9a8d59d81466b111ad63b850660cef3750d732fc7755530c81a2d61f396be0707cd86dec
diff --git a/src/script/script.h b/src/script/script.h
@@ -331,7 +331,7 @@ class CScriptNum
 
         std::vector<unsigned char> result;
         const bool neg = value < 0;
-        uint64_t absvalue = neg ? -value : value;
+        uint64_t absvalue = neg ? ~static_cast<uint64_t>(value) + 1 : static_cast<uint64_t>(value);
 
         while(absvalue)
         {
diff --git a/src/test/fuzz/integer.cpp b/src/test/fuzz/integer.cpp
@@ -141,11 +141,7 @@ FUZZ_TARGET_INIT(integer, initialize_integer)
 
     const CScriptNum script_num{i64};
     (void)script_num.getint();
-    // Avoid negation failure:
-    // script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
-    if (script_num != CScriptNum{std::numeric_limits<int64_t>::min()}) {
-        (void)script_num.getvch();
-    }
+    (void)script_num.getvch();
 
     const arith_uint256 au256 = UintToArith256(u256);
     assert(ArithToUint256(au256) == u256);
diff --git a/src/test/fuzz/scriptnum_ops.cpp b/src/test/fuzz/scriptnum_ops.cpp
@@ -123,10 +123,6 @@ FUZZ_TARGET(scriptnum_ops)
                 script_num &= fuzzed_data_provider.ConsumeIntegral<int64_t>();
             });
         (void)script_num.getint();
-        // Avoid negation failure:
-        // script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
-        if (script_num != CScriptNum{std::numeric_limits<int64_t>::min()}) {
-            (void)script_num.getvch();
-        }
+        (void)script_num.getvch();
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -331,7 +331,7 @@ class CScriptNum`
`331`	`331`
`332`	`332`	`std::vector<unsigned char> result;`
`333`	`333`	`const bool neg = value < 0;`
`334`		`- uint64_t absvalue = neg ? -value : value;`
	`334`	`+ uint64_t absvalue = neg ? ~static_cast<uint64_t>(value) + 1 : static_cast<uint64_t>(value);`
`335`	`335`
`336`	`336`	`while(absvalue)`
`337`	`337`	`{`
Original file line number	Diff line number	Diff line change
`@@ -123,10 +123,6 @@ FUZZ_TARGET(scriptnum_ops)`
`123`	`123`	`script_num &= fuzzed_data_provider.ConsumeIntegral<int64_t>();`
`124`	`124`	`});`
`125`	`125`	`(void)script_num.getint();`
`126`		`- // Avoid negation failure:`
`127`		`- // script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself`
`128`		`- if (script_num != CScriptNum{std::numeric_limits<int64_t>::min()}) {`
`129`		`- (void)script_num.getvch();`
`130`		`- }`
	`126`	`+ (void)script_num.getvch();`
`131`	`127`	`}`
`132`	`128`	`}`