package/network/services/dropbear/patches/015-libtommath-fix-possible-integer-overflow.patch

   1 From 3b576d95dcf791d7b945e75f639da8f89c1685a2 Mon Sep 17 00:00:00 2001
   2 From: czurnieden <czurnieden@gmx.de>
   3 Date: Tue, 9 May 2023 17:17:12 +0200
   4 Subject: Fix possible integer overflow
   5
   6 ---
   7  libtommath/bn_mp_2expt.c                | 4 ++++
   8  libtommath/bn_mp_grow.c                 | 4 ++++
   9  libtommath/bn_mp_init_size.c            | 5 +++++
  10  libtommath/bn_mp_mul_2d.c               | 4 ++++
  11  libtommath/bn_s_mp_mul_digs.c           | 4 ++++
  12  libtommath/bn_s_mp_mul_digs_fast.c      | 4 ++++
  13  libtommath/bn_s_mp_mul_high_digs.c      | 4 ++++
  14  libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++
  15  8 files changed, 33 insertions(+)
  16
  17 --- a/libtommath/bn_mp_2expt.c
  18 +++ b/libtommath/bn_mp_2expt.c
  19 @@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
  20  {
  21     mp_err    err;
  22
  23 +   if (b < 0) {
  24 +      return MP_VAL;
  25 +   }
  26 +
  27     /* zero a as per default */
  28     mp_zero(a);
  29
  30 --- a/libtommath/bn_mp_grow.c
  31 +++ b/libtommath/bn_mp_grow.c
  32 @@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
  33     int     i;
  34     mp_digit *tmp;
  35
  36 +   if (size < 0) {
  37 +      return MP_VAL;
  38 +   }
  39 +
  40     /* if the alloc size is smaller alloc more ram */
  41     if (a->alloc < size) {
  42        /* reallocate the array a->dp
  43 --- a/libtommath/bn_mp_init_size.c
  44 +++ b/libtommath/bn_mp_init_size.c
  45 @@ -6,6 +6,11 @@
  46  /* init an mp_init for a given size */
  47  mp_err mp_init_size(mp_int *a, int size)
  48  {
  49 +
  50 +   if (size < 0) {
  51 +      return MP_VAL;
  52 +   }
  53 +
  54     size = MP_MAX(MP_MIN_PREC, size);
  55
  56     /* alloc mem */
  57 --- a/libtommath/bn_mp_mul_2d.c
  58 +++ b/libtommath/bn_mp_mul_2d.c
  59 @@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b,
  60     mp_digit d;
  61     mp_err   err;
  62
  63 +   if (b < 0) {
  64 +      return MP_VAL;
  65 +   }
  66 +
  67     /* copy */
  68     if (a != c) {
  69        if ((err = mp_copy(a, c)) != MP_OKAY) {
  70 --- a/libtommath/bn_s_mp_mul_digs.c
  71 +++ b/libtommath/bn_s_mp_mul_digs.c
  72 @@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, co
  73     mp_word r;
  74     mp_digit tmpx, *tmpt, *tmpy;
  75
  76 +   if (digs < 0) {
  77 +      return MP_VAL;
  78 +   }
  79 +
  80     /* can we use the fast multiplier? */
  81     if ((digs < MP_WARRAY) &&
  82         (MP_MIN(a->used, b->used) < MP_MAXFAST)) {
  83 --- a/libtommath/bn_s_mp_mul_digs_fast.c
  84 +++ b/libtommath/bn_s_mp_mul_digs_fast.c
  85 @@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *
  86     mp_digit W[MP_WARRAY];
  87     mp_word  _W;
  88
  89 +   if (digs < 0) {
  90 +      return MP_VAL;
  91 +   }
  92 +
  93     /* grow the destination as required */
  94     if (c->alloc < digs) {
  95        if ((err = mp_grow(c, digs)) != MP_OKAY) {
  96 --- a/libtommath/bn_s_mp_mul_high_digs.c
  97 +++ b/libtommath/bn_s_mp_mul_high_digs.c
  98 @@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *
  99     mp_word  r;
 100     mp_digit tmpx, *tmpt, *tmpy;
 101
 102 +   if (digs < 0) {
 103 +      return MP_VAL;
 104 +   }
 105 +
 106     /* can we use the fast multiplier? */
 107     if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
 108         && ((a->used + b->used + 1) < MP_WARRAY)
 109 --- a/libtommath/bn_s_mp_mul_high_digs_fast.c
 110 +++ b/libtommath/bn_s_mp_mul_high_digs_fast.c
 111 @@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_
 112     mp_digit W[MP_WARRAY];
 113     mp_word  _W;
 114
 115 +   if (digs < 0) {
 116 +      return MP_VAL;
 117 +   }
 118 +
 119     /* grow the destination as required */
 120     pa = a->used + b->used;
 121     if (c->alloc < pa) {