Bug fixes 2026-02-18

[iartemov-ledger]

• Fixing call_get_merkleized_map_value() return value checking
• Zeroing out nonce-related stack buffers in musig part
• Fix partial_data_len=0 case

AI-generated unit tests with a small added value, but with a lot of code lines have been removed finally.

[ledger-wiz-cspm-secret-detection]

Wiz Scan Summary

Scanner	Findings
Sensitive Data	-
Secrets	-
IaC Misconfigurations	-
SAST Findings	-
Software Management Findings	-
Total	-

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.81%. Comparing base (7cf2c4d) to head (8ff2b62).

Additional details and impacted files

@@           Coverage Diff            @@
##           develop     #425   +/-   ##
========================================
  Coverage    85.81%   85.81%           
========================================
  Files           18       18           
  Lines         2812     2812           
  Branches       426      427    +1     
========================================
  Hits          2413     2413           
  Misses         388      388           
  Partials        11       11           

Flag	Coverage Δ
unittests	85.81% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR hardens PSBT signing and MuSig2 flows by improving negative-return checks from merkleized map accessors, tightening preimage streaming validation, and ensuring nonce-related secrets are explicitly zeroed on failure/cleanup paths.

Changes:

• Replace == -1 checks with < 0 for functions that can return multiple negative error codes.
• Add explicit zeroization/cleanup paths for MuSig2 nonce generation/signing intermediates.
• Reject partial_data_len == 0 in call_stream_preimage() to avoid underflow/invalid buffer creation.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/musig/musig.c	Adds failure/cleanup labels to ensure nonce scalars and derived temporaries are explicitly wiped before returning.
src/handler/sign_psbt/txhashes.c	Uses < 0 when validating call_get_merkleized_map_value() result to properly catch all negative error returns.
src/handler/sign_psbt/musig_signing.c	Zeroes rand_i_j and secnonce buffers on all paths; refactors nonce-gen error handling to a cleanup pattern.
src/handler/sign_psbt.c	Updates merkleized map value length checks from == -1 to < 0 for correctness across error codes.
src/handler/lib/stream_preimage.c	Treats partial_data_len == 0 as invalid to prevent partial_data_len - 1 underflow when skipping the 0x00 prefix.
src/handler/lib/policy.c	Updates negative error handling for key info retrieval to use < 0.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.