From 1807a5f99b0a814febe3a1b68c03a09af12b9d9e Mon Sep 17 00:00:00 2001
From: MoneroOcean <33983510+MoneroOcean@users.noreply.github.com>
Date: Wed, 3 Jun 2026 11:22:10 -0700
Subject: [PATCH] Fix bounds check for merged-mining extra nonce rewrite

---
 src/main.cc | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/main.cc b/src/main.cc
index 94336faf..992230be 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -108,16 +108,22 @@ static bool fillExtraMM(cryptonote::block& block1, const cryptonote::block& bloc
         return false;
     }
 
-    const int extra_nonce_size = extra[pos + 1];
-    const int new_extra_nonce_size = extra_nonce_size - MM_NONCE_SIZE;
+    const size_t extra_nonce_size = extra[pos + 1];
+    const size_t extra_nonce_start = pos + 2;
+    if (extra_nonce_start > extra.size() || extra_nonce_start + extra_nonce_size > extra.size()) {
+        fprintf(stderr, "Malformed TX_EXTRA_NONCE length in extra\n");
+        return false;
+    }
 
-    if (new_extra_nonce_size < 0) {
+    if (extra_nonce_size < MM_NONCE_SIZE) {
         fprintf(stderr, "Too small extra size, can't fit MM tag here\n");
         return false;
     }
 
-    extra[pos + 1] = new_extra_nonce_size;
-    std::copy(extra_nonce_replace.begin(), extra_nonce_replace.end(), extra.begin() + pos + 1 + new_extra_nonce_size + 1);
+    const size_t new_extra_nonce_size = extra_nonce_size - MM_NONCE_SIZE;
+
+    extra[pos + 1] = static_cast<uint8_t>(new_extra_nonce_size);
+    std::copy(extra_nonce_replace.begin(), extra_nonce_replace.end(), extra.begin() + extra_nonce_start + new_extra_nonce_size);
     //extra.resize(pos + 1 + extra_nonce_size + 1);
 
     // get the most recent timestamp (solve duplicated timestamps on child coin)