fix: handle zero-input transaction parsing

When parsing a transaction with 0 inputs, the byte sequence 00 01
(vinLen=0, voutLen=1) was incorrectly interpreted as segwit marker/flag.

This fix validates the segwit interpretation by checking:
1. If vinLen would be 0 (segwit tx with 0 inputs is invalid)
2. If the buffer is too small to contain the claimed number of inputs

If either check fails, fall back to non-segwit parsing.

Fixes #2293

Author: 0xsatoshi99

src/cjs/transaction.cjs

@@ -107,7 +107,19 @@ class Transaction {
       marker === Transaction.ADVANCED_TRANSACTION_MARKER &&
       flag === Transaction.ADVANCED_TRANSACTION_FLAG
     ) {
-      hasWitnesses = true;
+      const { bigintValue: vinLenPeek, bytes: vinLenBytes } =
+        bufferutils_js_1.varuint.decode(buffer, bufferReader.offset);
+      const minInputSize = 41;
+      const remainingAfterVinLen =
+        buffer.length - bufferReader.offset - vinLenBytes;
+      if (
+        vinLenPeek === BigInt(0) ||
+        Number(vinLenPeek) * minInputSize > remainingAfterVinLen
+      ) {
+        bufferReader.offset -= 2;
+      } else {
+        hasWitnesses = true;
+      }
     } else {
       bufferReader.offset -= 2;
     }

src/esm/transaction.js

@@ -65,7 +65,21 @@ export class Transaction {
       marker === Transaction.ADVANCED_TRANSACTION_MARKER &&
       flag === Transaction.ADVANCED_TRANSACTION_FLAG
     ) {
-      hasWitnesses = true;
+      const { bigintValue: vinLenPeek, bytes: vinLenBytes } = varuint.decode(
+        buffer,
+        bufferReader.offset,
+      );
+      const minInputSize = 41;
+      const remainingAfterVinLen =
+        buffer.length - bufferReader.offset - vinLenBytes;
+      if (
+        vinLenPeek === BigInt(0) ||
+        Number(vinLenPeek) * minInputSize > remainingAfterVinLen
+      ) {
+        bufferReader.offset -= 2;
+      } else {
+        hasWitnesses = true;
+      }
     } else {
       bufferReader.offset -= 2;
     }

ts_src/transaction.ts

@@ -77,23 +77,33 @@ export class Transaction {
 
   static fromBuffer(buffer: Uint8Array, _NO_STRICT?: boolean): Transaction {
     const bufferReader = new BufferReader(buffer);
-
     const tx = new Transaction();
     tx.version = bufferReader.readUInt32();
-
     const marker = bufferReader.readUInt8();
     const flag = bufferReader.readUInt8();
-
     let hasWitnesses = false;
     if (
       marker === Transaction.ADVANCED_TRANSACTION_MARKER &&
       flag === Transaction.ADVANCED_TRANSACTION_FLAG
     ) {
-      hasWitnesses = true;
+      const { bigintValue: vinLenPeek, bytes: vinLenBytes } = varuint.decode(
+        buffer,
+        bufferReader.offset,
+      );
+      const minInputSize = 41;
+      const remainingAfterVinLen =
+        buffer.length - bufferReader.offset - vinLenBytes;
+      if (
+        vinLenPeek === BigInt(0) ||
+        Number(vinLenPeek) * minInputSize > remainingAfterVinLen
+      ) {
+        bufferReader.offset -= 2;
+      } else {
+        hasWitnesses = true;
+      }
     } else {
       bufferReader.offset -= 2;
     }
-
     const vinLen = bufferReader.readVarInt();
     for (let i = 0; i < vinLen; ++i) {
       tx.ins.push({