aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-02-27 09:28:13 -0500
committerJack Lloyd <[email protected]>2018-02-27 09:32:06 -0500
commit74ca458b14d265b68ad25cf918aa216b3fa51103 (patch)
tree12384690d2d3deed8201040a877d8dbf7ab4b24c /src
parent5fcc1c70d7ae2b2bac8598629e576a7a484b770a (diff)
Fix overflow in monty_redc
OSS-Fuzz caught a bug introduced in 5fcc1c70d7a. bigint_monty_redc assumes z is 2*p_words+2 words long. Previously the implicit rounding up in grow_to ensured a resize would result in a sufficiently large value. OSS-Fuzz 6581 6588 6593
Diffstat (limited to 'src')
-rw-r--r--src/lib/pubkey/ec_group/curve_gfp.cpp8
1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/pubkey/ec_group/curve_gfp.cpp b/src/lib/pubkey/ec_group/curve_gfp.cpp
index a55741fb0..1bca04d07 100644
--- a/src/lib/pubkey/ec_group/curve_gfp.cpp
+++ b/src/lib/pubkey/ec_group/curve_gfp.cpp
@@ -82,7 +82,7 @@ void CurveGFp_Montgomery::curve_mul(BigInt& z, const BigInt& x, const BigInt& y,
return;
}
- const size_t output_size = 2*m_p_words + 1;
+ const size_t output_size = 2*m_p_words + 2;
ws.resize(2*(m_p_words+2));
if(z.size() < output_size)
@@ -106,7 +106,7 @@ void CurveGFp_Montgomery::curve_sqr(BigInt& z, const BigInt& x,
const size_t x_sw = x.sig_words();
BOTAN_ASSERT(x_sw <= m_p_words, "Input in range");
- const size_t output_size = 2*m_p_words + 1;
+ const size_t output_size = 2*m_p_words + 2;
ws.resize(2*(m_p_words+2));
@@ -165,7 +165,7 @@ void CurveGFp_NIST::curve_mul(BigInt& z, const BigInt& x, const BigInt& y,
}
const size_t p_words = get_p_words();
- const size_t output_size = 2*p_words + 1;
+ const size_t output_size = 2*p_words + 2;
ws.resize(2*(p_words+2));
@@ -188,7 +188,7 @@ void CurveGFp_NIST::curve_sqr(BigInt& z, const BigInt& x,
}
const size_t p_words = get_p_words();
- const size_t output_size = 2*p_words + 1;
+ const size_t output_size = 2*p_words + 2;
ws.resize(2*(p_words+2));