Restrict scope of NPE check for Bouncy Castle bug.

2025-11-02 13:37:24 +00:00 · 2013-02-21 14:42:04 +01:00
parent 85c9950d9e
commit 3680c7f52f
1 changed files with 9 additions and 4 deletions
--- a/core/src/main/java/com/google/bitcoin/core/ECKey.java
+++ b/core/src/main/java/com/google/bitcoin/core/ECKey.java
@@ -323,12 +323,17 @@ public class ECKey implements Serializable {
            // OpenSSL deviates from the DER spec by interpreting these values as unsigned, though they should not be
            // Thus, we always use the positive versions.
            // See: http://r6.ca/blog/20111119T211504Z.html
-            return signer.verifySignature(data, r.getPositiveValue(), s.getPositiveValue());
+            try {
+                return signer.verifySignature(data, r.getPositiveValue(), s.getPositiveValue());
+            } catch (NullPointerException e) {
+                // Bouncy Castle contains a bug that can cause NPEs given specially crafted signatures. Those signatures
+                // are inherently invalid/attack sigs so we just fail them here rather than crash the thread.
+                System.err.println("Caught NPE inside bouncy castle: " + e);
+                e.printStackTrace();
+                return false;
+            }
        } catch (IOException e) {
            throw new RuntimeException(e);
-        } catch (NullPointerException e) {
-            // Bug in BouncyCastle can cause this for invalid signatures.
-            return false;
        }
    }