Fix OOB write in fillExtraMM nonce handling by MoneroOcean · Pull Request #36 · MoneroOcean/node-blocktemplate

MoneroOcean · 2026-06-03T18:22:12Z

The fillExtraMM code trusted the TX_EXTRA_NONCE declared length byte and copied a 35-byte merged-mining tag without verifying the actual payload was present, leading to an out-of-bounds write and possible native heap corruption.
The change aims to validate the nonce payload length before any rewrite/copy to prevent daemon-supplied malformed block templates from crashing or corrupting the process.

Add explicit bounds validation that extra_nonce_start and extra_nonce_start + extra_nonce_size are within miner_tx.extra before modifying the vector.
Validate that the declared extra_nonce_size is at least MM_NONCE_SIZE and compute new_extra_nonce_size as an unsigned size_t.
Update the nonce-length byte with a safe static_cast<uint8_t> and copy the merged-mining tag to a destination offset derived from the validated extra_nonce_start and new_extra_nonce_size, preserving original behavior for valid inputs.

Reviewed the source patch and diff to confirm the added checks and adjusted offsets are correct.
Displayed the modified region with nl -ba src/main.cc | sed -n '96,135p' to verify the new logic in context.
No project build or automated test suite was run in this environment.

Fix bounds check for merged-mining extra nonce rewrite

1807a5f

MoneroOcean added aardvark codex labels Jun 3, 2026 — with ChatGPT Codex Connector

MoneroOcean added aardvark codex labels Jun 3, 2026

MoneroOcean merged commit a4b3dce into master Jun 3, 2026
3 checks passed

MoneroOcean deleted the codex/fix-heap-overflow-in-merged-mining-code branch June 3, 2026 18:24

Provide feedback