fix(audit): add non-witness-utxo validation for psbt

Author: muhahahmad68

src/psbt/mod.rs

@@ -43,8 +43,15 @@ impl PsbtUtils for Psbt {
 
         match (&input.witness_utxo, &input.non_witness_utxo) {
             (Some(_), _) => input.witness_utxo.clone(),
-            (_, Some(_)) => input.non_witness_utxo.as_ref().map(|in_tx| {
-                in_tx.output[tx.input[input_index].previous_output.vout as usize].clone()
+            (_, Some(_)) => input.non_witness_utxo.as_ref().and_then(|in_tx| {
+                // Validate that the non_witness_utxo txid matches the input's previous output txid
+                if in_tx.compute_txid() != tx.input[input_index].previous_output.txid {
+                    return None;
+                }
+                in_tx
+                    .output
+                    .get(tx.input[input_index].previous_output.vout as usize)
+                    .cloned()
             }),
             _ => None,
         }