fd2d434dd3
Cherry picked from libtommath 7bbc1f8e4fe6dce75055957645117180768efb15.
Vulnerability Detail:
CVE Identifier: CVE-2023-36328
Description: Integer Overflow vulnerability in mp_grow in libtom
libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9,
allows attackers to execute arbitrary code and cause a denial of
service (DoS).
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36328
Reported-by: https://github.com/Crispy-fried-chicken
43 lines
1.1 KiB
C
43 lines
1.1 KiB
C
#include "tommath_private.h"
|
|
#ifdef BN_MP_GROW_C
|
|
/* LibTomMath, multiple-precision integer library -- Tom St Denis */
|
|
/* SPDX-License-Identifier: Unlicense */
|
|
|
|
/* grow as required */
|
|
mp_err mp_grow(mp_int *a, int size)
|
|
{
|
|
int i;
|
|
mp_digit *tmp;
|
|
|
|
if (size < 0) {
|
|
return MP_VAL;
|
|
}
|
|
|
|
/* if the alloc size is smaller alloc more ram */
|
|
if (a->alloc < size) {
|
|
/* reallocate the array a->dp
|
|
*
|
|
* We store the return in a temporary variable
|
|
* in case the operation failed we don't want
|
|
* to overwrite the dp member of a.
|
|
*/
|
|
tmp = (mp_digit *) MP_REALLOC(a->dp,
|
|
(size_t)a->alloc * sizeof(mp_digit),
|
|
(size_t)size * sizeof(mp_digit));
|
|
if (tmp == NULL) {
|
|
/* reallocation failed but "a" is still valid [can be freed] */
|
|
return MP_MEM;
|
|
}
|
|
|
|
/* reallocation succeeded so set a->dp */
|
|
a->dp = tmp;
|
|
|
|
/* zero excess digits */
|
|
i = a->alloc;
|
|
a->alloc = size;
|
|
MP_ZERO_DIGITS(a->dp + i, a->alloc - i);
|
|
}
|
|
return MP_OKAY;
|
|
}
|
|
#endif
|