Fix heap overflow in ECC point multiplication

If affine coordinates larger than the prime modulus were given,
a later multiplication could overflow the size of an allocated
output buffer, which was sized based on the size of the prime.

This will cause an overflow into either the system heap or if the
mlock/mmap pool allocator is in use, then into the adjacent key
material stored in the pool.

Reported by Alex Gaynor who found it with AFL

Also fix a one word overwrite in P-521 reduction. Found with AFL

2 files changed, 52 insertions, 0 deletions

diff --git a/src/tests/data/fuzz/pkcs8/ecc_overflow.pem b/src/tests/data/fuzz/pkcs8/ecc_overflow.pem
new file mode 100644
index 000000000..3b52a3ee0
--- /dev/null
+++ b/src/tests/data/fuzz/pkcs8/ecc_overflow.pem
@@ -0,0 +1,11 @@
+-----BEGIN PRIVATE KEY-----
+MIIBjQIBADCCAU0GByqGSM49AgEwggFAAgEBMDwGByqGSM49AQECMQCMuR6Cozht
+KA9db35Q5kHfFS9xCe1UVrQSsdoZf7cRI6zTpymQHRpxh0cAEzEH7FMwZAQwe8OC
+xj2MFQw8cggKzgWvoMK+oo5PsieHE5Fl77qR+Q+KpYFKUDrU6wSox90izigmBDAE
+qMfdIs4oJos5tVQW8ER8L7d94Qfc0qYuiA6lPuti1Xy0OQKV28mUOreGlvpQTBEE
+YQPdHGTwaM9F/6KmOoG3wT9riEej537xT+Pbf8r+DL0Q6Ogm4DQ21kaq74ey4kfU
+rx6Kvh11IPnCpFyx646Vz9VSYrcLKf7sWGThnAVP+ZEpKA5GRiF3kYERQoIDQSY8
+UxUCMQCMuR6CozhtKA9db35Q5kHfFS9xCe1UVrMfFm5srAQlp886tq9rf8MQO4gy
+AukEZWUCAQEENzA1AgEBBDB5HVMmAiyXDGqBKoKEHNIk02EMVKKdHqXG6kDInWC/
+R4ZVuXK3T8DqJrRX7RHxndk=
+-----END PRIVATE KEY-----
diff --git a/src/tests/test_fuzzer.cpp b/src/tests/test_fuzzer.cpp
index 3a5dcc47c..18516a68c 100644
--- a/src/tests/test_fuzzer.cpp
+++ b/src/tests/test_fuzzer.cpp
@@ -14,6 +14,10 @@
   #include <botan/internal/filesystem.h>
 #endif
 
+#if defined(BOTAN_HAS_PUBLIC_KEY_CRYPTO)
+  #include <botan/pkcs8.h>
+#endif
+
 namespace Botan_Tests {
 
 namespace {
@@ -27,11 +31,48 @@ class Fuzzer_Input_Tests : public Test
 #if defined(BOTAN_HAS_X509_CERTIFICATES)
          results.push_back(test_x509_fuzz());
 #endif
+
+#if defined(BOTAN_HAS_PUBLIC_KEY_CRYPTO)
+         results.push_back(test_pkcs8());
+#endif
          return results;
          }
 
    private:
 
+#if defined(BOTAN_HAS_PUBLIC_KEY_CRYPTO)
+      Test::Result test_pkcs8()
+         {
+         std::vector<std::string> files;
+
+         Test::Result result("PKCS #8 fuzzing");
+
+         try
+            {
+            files = Botan::get_files_recursive(Test::data_dir() + "/fuzz/pkcs8");
+            }
+         catch(Botan::No_Filesystem_Access)
+            {
+            result.note_missing("Filesystem readdir wrapper not implemented");
+            return result;
+            }
+
+         for(auto vec_file: files)
+            {
+            try
+               {
+               std::unique_ptr<Botan::Private_Key> key(Botan::PKCS8::load_key(vec_file, Test::rng()));
+               Botan::X509_Certificate cert(vec_file);
+               }
+            catch(std::exception&) {}
+
+            result.test_success();
+            }
+
+         return result;
+         }
+#endif
+
 #if defined(BOTAN_HAS_X509_CERTIFICATES)
       Test::Result test_x509_fuzz()
          {