From c9e6ca30c925a213bc92c7b283875d166d3c4f75 Mon Sep 17 00:00:00 2001
From: Andrew Kozlik <andrew.kozlik@gmail.com>
Date: Fri, 3 Dec 2021 17:44:26 +0100
Subject: [PATCH] feat(core): Ensure input's script type and path match the
 scriptPubKey.

---
 core/.changelog.d/1018.changed           | 1 +
 core/.changelog.d/1018.incompatible      | 1 +
 core/src/apps/bitcoin/sign_tx/bitcoin.py | 3 +++
 3 files changed, 5 insertions(+)
 create mode 100644 core/.changelog.d/1018.changed
 create mode 100644 core/.changelog.d/1018.incompatible

diff --git a/core/.changelog.d/1018.changed b/core/.changelog.d/1018.changed
new file mode 100644
index 0000000000..018e42bd4c
--- /dev/null
+++ b/core/.changelog.d/1018.changed
@@ -0,0 +1 @@
+Ensure input's script type and path match the scriptPubKey.
diff --git a/core/.changelog.d/1018.incompatible b/core/.changelog.d/1018.incompatible
new file mode 100644
index 0000000000..d0b3118eb0
--- /dev/null
+++ b/core/.changelog.d/1018.incompatible
@@ -0,0 +1 @@
+Trezor will refuse to sign UTXOs that do not match the provided derivation path (e.g., transactions belonging to a different wallet, or synthetic transaction inputs).
diff --git a/core/src/apps/bitcoin/sign_tx/bitcoin.py b/core/src/apps/bitcoin/sign_tx/bitcoin.py
index 97121eada5..1dd68dd7e3 100644
--- a/core/src/apps/bitcoin/sign_tx/bitcoin.py
+++ b/core/src/apps/bitcoin/sign_tx/bitcoin.py
@@ -229,6 +229,9 @@ class Bitcoin:
                 if prev_amount != txi.amount:
                     raise wire.DataError("Invalid amount specified")
 
+                if script_pubkey != self.input_derive_script(txi):
+                    raise wire.DataError("Input does not match scriptPubKey")
+
                 if i in self.external:
                     await self.verify_external_input(i, txi, script_pubkey)