From 386d01dcd829d606e266a1e0719333a480cd5fcd Mon Sep 17 00:00:00 2001
From: Matt Morehouse <mattmorehouse@gmail.com>
Date: Mon, 2 Oct 2023 14:47:01 -0500
Subject: [PATCH] bolt11: check return value of pull_all

Otherwise, if pull_all fails, we attempt to create a script from NULL,
causing a UBSan report:

bitcoin/script.c:29:28: runtime error: null pointer passed as argument 2, which is declared to never be null
---
 common/bolt11.c                                                 | 2 ++
 .../crash-6a09efacc7816949fc57d006a8b513cbb7857f2f              | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 tests/fuzz/corpora/fuzz-bolt11-decode/crash-6a09efacc7816949fc57d006a8b513cbb7857f2f

diff --git a/common/bolt11.c b/common/bolt11.c
index 164d7283df74..a168d66e5c30 100644
--- a/common/bolt11.c
+++ b/common/bolt11.c
@@ -390,6 +390,8 @@ static const char *decode_f(struct bolt11 *b11,
 		fallback = scriptpubkey_p2sh_hash(b11, shash);
 	} else if (version < 17) {
 		u8 *f = pull_all(tmpctx, hu5, data, field_len, false, &err);
+		if (!f)
+			return err;
 		if (version == 0) {
 			if (tal_count(f) != 20 && tal_count(f) != 32)
 				return tal_fmt(b11,
diff --git a/tests/fuzz/corpora/fuzz-bolt11-decode/crash-6a09efacc7816949fc57d006a8b513cbb7857f2f b/tests/fuzz/corpora/fuzz-bolt11-decode/crash-6a09efacc7816949fc57d006a8b513cbb7857f2f
new file mode 100644
index 000000000000..a088764773f5
--- /dev/null
+++ b/tests/fuzz/corpora/fuzz-bolt11-decode/crash-6a09efacc7816949fc57d006a8b513cbb7857f2f
@@ -0,0 +1 @@
+lnltc1Uggzzzzfzzffffffffffffffffffffffffffffffgfffffffffffffffffzzzzfzzfffffffffffffffffffffffffffffffffffffffffffffffffffff
\ No newline at end of file