From d601f16621e55c2f174afea2c5d7d1c9a0c0b969 Mon Sep 17 00:00:00 2001
From: Anthony Towns <aj@erisian.com.au>
Date: Mon, 11 Sep 2017 13:40:31 +1000
Subject: [PATCH] Fix invalid memory access in CScript::operator+=

---
 src/script/script.h       |  1 +
 src/test/script_tests.cpp | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/src/script/script.h b/src/script/script.h
index 587f2d26e..2a9206054 100644
--- a/src/script/script.h
+++ b/src/script/script.h
@@ -420,6 +420,7 @@ public:
 
     CScript& operator+=(const CScript& b)
     {
+        reserve(size() + b.size());
         insert(end(), b.begin(), b.end());
         return *this;
     }
diff --git a/src/test/script_tests.cpp b/src/test/script_tests.cpp
index 17374edcc..011a5db79 100644
--- a/src/test/script_tests.cpp
+++ b/src/test/script_tests.cpp
@@ -1451,4 +1451,21 @@ BOOST_AUTO_TEST_CASE(script_HasValidOps)
     BOOST_CHECK(!script.HasValidOps());
 }
 
+BOOST_AUTO_TEST_CASE(script_can_append_self)
+{
+    CScript s, d;
+
+    s = ScriptFromHex("00");
+    s += s;
+    d = ScriptFromHex("0000");
+    BOOST_CHECK(s == d);
+
+    // check doubling a script that's large enough to require reallocation
+    static const char hex[] = "04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f";
+    s = CScript() << ParseHex(hex) << OP_CHECKSIG;
+    d = CScript() << ParseHex(hex) << OP_CHECKSIG << ParseHex(hex) << OP_CHECKSIG;
+    s += s;
+    BOOST_CHECK(s == d);
+}
+
 BOOST_AUTO_TEST_SUITE_END()