From 98831c25d4609f7018217504cf2d6748cf0404cf Mon Sep 17 00:00:00 2001 From: jordan Date: Fri, 8 May 2026 15:26:57 -0500 Subject: [PATCH 1/3] wolfmath: check mpSz in wc_export_int. --- tests/api/test_wolfmath.c | 8 ++++++++ wolfcrypt/src/wolfmath.c | 8 ++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/tests/api/test_wolfmath.c b/tests/api/test_wolfmath.c index 4c86856dd42..1e4b622727c 100644 --- a/tests/api/test_wolfmath.c +++ b/tests/api/test_wolfmath.c @@ -193,6 +193,14 @@ int test_wc_export_int(void) ExpectIntEQ(wc_export_int(&mp, buf, &len, 0, WC_TYPE_HEX_STR), 0); /* hex version of 1234 is 04D2 and should be 4 digits + 1 null */ ExpectIntEQ(len, 5); + mp_clear(&mp); + + /* test mp_int too large for export buf */ + len = sizeof(buf); + ExpectIntEQ(mp_init(&mp), MP_OKAY); + ExpectIntEQ(mp_set_bit(&mp, 257), 0); + ExpectIntEQ(wc_export_int(&mp, buf, &len, 0, WC_TYPE_UNSIGNED_BIN), + WC_NO_ERR_TRACE(BUFFER_E)); mp_clear(&mp); #endif diff --git a/wolfcrypt/src/wolfmath.c b/wolfcrypt/src/wolfmath.c index 20258001b90..60cd6b965d6 100644 --- a/wolfcrypt/src/wolfmath.c +++ b/wolfcrypt/src/wolfmath.c @@ -253,14 +253,18 @@ int wc_export_int(mp_int* mp, byte* buf, word32* len, word32 keySz, else { /* for WC_TYPE_UNSIGNED_BIN keySz is used to zero pad. * The key size is always returned as the size */ + word32 mpSz = 0; if (*len < keySz) { *len = keySz; return BUFFER_E; } *len = keySz; + mpSz = (word32)mp_unsigned_bin_size(mp); + if (mpSz > keySz) { + return BUFFER_E; + } XMEMSET(buf, 0, *len); - err = mp_to_unsigned_bin(mp, buf + - (keySz - (word32)mp_unsigned_bin_size(mp))); + err = mp_to_unsigned_bin(mp, buf + (keySz - mpSz)); } return err; From 99e5597372ce9f49e3bb6ea745d934ab22af6e00 Mon Sep 17 00:00:00 2001 From: jordan Date: Mon, 11 May 2026 12:09:50 -0500 Subject: [PATCH 2/3] wolfmath: check mpSz cleanup. --- tests/api/test_wolfmath.c | 2 +- wolfcrypt/src/wolfmath.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/api/test_wolfmath.c b/tests/api/test_wolfmath.c index 1e4b622727c..fa91c2cc97f 100644 --- a/tests/api/test_wolfmath.c +++ b/tests/api/test_wolfmath.c @@ -199,7 +199,7 @@ int test_wc_export_int(void) len = sizeof(buf); ExpectIntEQ(mp_init(&mp), MP_OKAY); ExpectIntEQ(mp_set_bit(&mp, 257), 0); - ExpectIntEQ(wc_export_int(&mp, buf, &len, 0, WC_TYPE_UNSIGNED_BIN), + ExpectIntEQ(wc_export_int(&mp, buf, &len, keySz, WC_TYPE_UNSIGNED_BIN), WC_NO_ERR_TRACE(BUFFER_E)); mp_clear(&mp); diff --git a/wolfcrypt/src/wolfmath.c b/wolfcrypt/src/wolfmath.c index 60cd6b965d6..74af4f2d22a 100644 --- a/wolfcrypt/src/wolfmath.c +++ b/wolfcrypt/src/wolfmath.c @@ -253,14 +253,14 @@ int wc_export_int(mp_int* mp, byte* buf, word32* len, word32 keySz, else { /* for WC_TYPE_UNSIGNED_BIN keySz is used to zero pad. * The key size is always returned as the size */ - word32 mpSz = 0; + int mpSz = 0; if (*len < keySz) { *len = keySz; return BUFFER_E; } *len = keySz; - mpSz = (word32)mp_unsigned_bin_size(mp); - if (mpSz > keySz) { + mpSz = mp_unsigned_bin_size(mp); + if (mpSz < 0 || (word32)mpSz > keySz) { return BUFFER_E; } XMEMSET(buf, 0, *len); From 5918eabe2c694129967f81328525e878794a7abf Mon Sep 17 00:00:00 2001 From: jordan Date: Mon, 11 May 2026 21:46:36 -0500 Subject: [PATCH 3/3] wolfmath: fix mpSz cast. --- wolfcrypt/src/wolfmath.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/wolfmath.c b/wolfcrypt/src/wolfmath.c index 74af4f2d22a..06fb8ed017d 100644 --- a/wolfcrypt/src/wolfmath.c +++ b/wolfcrypt/src/wolfmath.c @@ -264,7 +264,7 @@ int wc_export_int(mp_int* mp, byte* buf, word32* len, word32 keySz, return BUFFER_E; } XMEMSET(buf, 0, *len); - err = mp_to_unsigned_bin(mp, buf + (keySz - mpSz)); + err = mp_to_unsigned_bin(mp, buf + (keySz - (word32)mpSz)); } return err;