From 091016a149efa28e9cf986a81bce5eee417e0c6d Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 11 Mar 2026 14:58:09 -0700 Subject: [PATCH 1/6] Ensure se050Ctx->used does not overflow in se050_hash_update. Thanks to Arjuna Arya for the report. Fixes #9951. --- wolfcrypt/src/port/nxp/se050_port.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/port/nxp/se050_port.c b/wolfcrypt/src/port/nxp/se050_port.c index 2532dd5fb2c..8d6ac5d0178 100644 --- a/wolfcrypt/src/port/nxp/se050_port.c +++ b/wolfcrypt/src/port/nxp/se050_port.c @@ -266,9 +266,11 @@ int se050_hash_copy(SE050_HASH_Context* src, SE050_HASH_Context* dst) int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len) { - byte* tmp = NULL; + byte* tmp = NULL; + word32 tmpSz = 0; - if (se050Ctx == NULL || (len > 0 && data == NULL)) { + if (se050Ctx == NULL || (len > 0 && data == NULL) || + !WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) { return BAD_FUNC_ARG; } From d205fcac87608b8c0488c075f80e462c78781749 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 11 Mar 2026 17:27:18 -0700 Subject: [PATCH 2/6] Fix potential overflows in two additional hash functions. Thanks to Arjuna Arya for the report. Fixes #9955. --- wolfcrypt/src/hash.c | 5 +++++ wolfcrypt/src/port/ti/ti-hash.c | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c index e82c6f6ac32..afc8744245e 100644 --- a/wolfcrypt/src/hash.c +++ b/wolfcrypt/src/hash.c @@ -1954,6 +1954,11 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags) int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in, int inSz, void* heap) { + word32 tmpSz = 0; + + if (!WC_SAFE_SUM_WORD32(*used, inSz, tmpSz)) + return BAD_FUNC_ARG; + if (*len < *used + inSz) { if (*msg == NULL) { *msg = (byte*)XMALLOC(*used + inSz, heap, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/wolfcrypt/src/port/ti/ti-hash.c b/wolfcrypt/src/port/ti/ti-hash.c index 4cd18440bf3..80255040c0b 100644 --- a/wolfcrypt/src/port/ti/ti-hash.c +++ b/wolfcrypt/src/port/ti/ti-hash.c @@ -75,8 +75,11 @@ static int hashInit(wolfssl_TI_Hash *hash) static int hashUpdate(wolfssl_TI_Hash *hash, const byte* data, word32 len) { void *p; + word32 tmpSz = 0; - if ((hash== NULL) || (data == NULL))return BAD_FUNC_ARG; + if ((hash== NULL) || (data == NULL) || + !WC_SAFE_SUM_WORD32(hash->used, len, tmpSz)) + return BAD_FUNC_ARG; if (hash->len < hash->used+len) { if (hash->msg == NULL) { From 42b321a7d315d26ab4953a56d2e977adf8948c05 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 11 Mar 2026 17:35:45 -0700 Subject: [PATCH 3/6] Use safe sum of used size after calculating it. No reason to redo the additions. Fixes unused variable warning as well. Fix different type addition in hash.c. --- wolfcrypt/src/hash.c | 12 ++++++------ wolfcrypt/src/port/nxp/se050_port.c | 16 ++++++++-------- wolfcrypt/src/port/ti/ti-hash.c | 12 ++++++------ 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c index afc8744245e..bf29731b327 100644 --- a/wolfcrypt/src/hash.c +++ b/wolfcrypt/src/hash.c @@ -1954,17 +1954,17 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags) int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in, int inSz, void* heap) { - word32 tmpSz = 0; + word32 usedSz = 0; - if (!WC_SAFE_SUM_WORD32(*used, inSz, tmpSz)) + if (!WC_SAFE_SUM_WORD32(*used, (word32)inSz, usedSz)) return BAD_FUNC_ARG; - if (*len < *used + inSz) { + if (*len < usedSz) { if (*msg == NULL) { - *msg = (byte*)XMALLOC(*used + inSz, heap, DYNAMIC_TYPE_TMP_BUFFER); + *msg = (byte*)XMALLOC(usedSz, heap, DYNAMIC_TYPE_TMP_BUFFER); } else { - byte* pt = (byte*)XREALLOC(*msg, *used + inSz, heap, + byte* pt = (byte*)XREALLOC(*msg, usedSz, heap, DYNAMIC_TYPE_TMP_BUFFER); if (pt == NULL) { return MEMORY_E; @@ -1974,7 +1974,7 @@ int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in, if (*msg == NULL) { return MEMORY_E; } - *len = *used + inSz; + *len = usedSz; } XMEMCPY(*msg + *used, in, inSz); *used += inSz; diff --git a/wolfcrypt/src/port/nxp/se050_port.c b/wolfcrypt/src/port/nxp/se050_port.c index 8d6ac5d0178..01693d1ec01 100644 --- a/wolfcrypt/src/port/nxp/se050_port.c +++ b/wolfcrypt/src/port/nxp/se050_port.c @@ -267,26 +267,26 @@ int se050_hash_copy(SE050_HASH_Context* src, SE050_HASH_Context* dst) int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len) { byte* tmp = NULL; - word32 tmpSz = 0; + word32 usedSz = 0; if (se050Ctx == NULL || (len > 0 && data == NULL) || - !WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) { + !WC_SAFE_SUM_WORD32(se050Ctx->used, len, usedSz)) { return BAD_FUNC_ARG; } - if (se050Ctx->len < se050Ctx->used + len) { + if (se050Ctx->len < usedSz) { if (se050Ctx->msg == NULL) { - se050Ctx->msg = (byte*)XMALLOC(se050Ctx->used + len, + se050Ctx->msg = (byte*)XMALLOC(usedSz, se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); - XMEMSET(se050Ctx->msg, 0, se050Ctx->used + len); + XMEMSET(se050Ctx->msg, 0, usedSz); } else { - tmp = (byte*)XMALLOC(se050Ctx->used + len, se050Ctx->heap, + tmp = (byte*)XMALLOC(usedSz, se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { return MEMORY_E; } - XMEMSET(tmp, 0, se050Ctx->used + len); + XMEMSET(tmp, 0, usedSz); XMEMCPY(tmp, se050Ctx->msg, se050Ctx->used); XFREE(se050Ctx->msg, se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); se050Ctx->msg = tmp; @@ -294,7 +294,7 @@ int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len if (se050Ctx->msg == NULL) { return MEMORY_E; } - se050Ctx->len = se050Ctx->used + len; + se050Ctx->len = usedSz; } XMEMCPY(se050Ctx->msg + se050Ctx->used, data, len); diff --git a/wolfcrypt/src/port/ti/ti-hash.c b/wolfcrypt/src/port/ti/ti-hash.c index 80255040c0b..d3024fc6d0b 100644 --- a/wolfcrypt/src/port/ti/ti-hash.c +++ b/wolfcrypt/src/port/ti/ti-hash.c @@ -75,21 +75,21 @@ static int hashInit(wolfssl_TI_Hash *hash) static int hashUpdate(wolfssl_TI_Hash *hash, const byte* data, word32 len) { void *p; - word32 tmpSz = 0; + word32 usedSz = 0; if ((hash== NULL) || (data == NULL) || - !WC_SAFE_SUM_WORD32(hash->used, len, tmpSz)) + !WC_SAFE_SUM_WORD32(hash->used, len, usedSz)) return BAD_FUNC_ARG; - if (hash->len < hash->used+len) { + if (hash->len < usedSz) { if (hash->msg == NULL) { - p = XMALLOC(hash->used+len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + p = XMALLOC(usedSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); } else { - p = XREALLOC(hash->msg, hash->used+len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + p = XREALLOC(hash->msg, usedSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); } if (p == 0)return 1; hash->msg = p; - hash->len = hash->used+len; + hash->len = usedSz; } XMEMCPY(hash->msg+hash->used, data, len); hash->used += len; From 0a082b08ca19aab296c3b08ecf6f98d846fac756 Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 12 Mar 2026 15:12:48 -0700 Subject: [PATCH 4/6] Code review feedback --- wolfcrypt/src/hash.c | 2 +- wolfcrypt/src/port/nxp/se050_port.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c index bf29731b327..61f7aacd632 100644 --- a/wolfcrypt/src/hash.c +++ b/wolfcrypt/src/hash.c @@ -1956,7 +1956,7 @@ int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in, { word32 usedSz = 0; - if (!WC_SAFE_SUM_WORD32(*used, (word32)inSz, usedSz)) + if (inSz <= 0 || !WC_SAFE_SUM_WORD32(*used, (word32)inSz, usedSz)) return BAD_FUNC_ARG; if (*len < usedSz) { diff --git a/wolfcrypt/src/port/nxp/se050_port.c b/wolfcrypt/src/port/nxp/se050_port.c index 01693d1ec01..0783323c221 100644 --- a/wolfcrypt/src/port/nxp/se050_port.c +++ b/wolfcrypt/src/port/nxp/se050_port.c @@ -278,6 +278,9 @@ int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len if (se050Ctx->msg == NULL) { se050Ctx->msg = (byte*)XMALLOC(usedSz, se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (se050Ctx->msg == NULL) { + return MEMORY_E; + } XMEMSET(se050Ctx->msg, 0, usedSz); } else { From 3cc15548bc5f95eb7a59644c5d5b87fda5eb4ae7 Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 13 Mar 2026 14:10:37 -0700 Subject: [PATCH 5/6] Code review feedback. Error out on len = 0 as well. --- wolfcrypt/src/port/nxp/se050_port.c | 2 +- wolfcrypt/src/port/ti/ti-hash.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/port/nxp/se050_port.c b/wolfcrypt/src/port/nxp/se050_port.c index 0783323c221..e244ea35a95 100644 --- a/wolfcrypt/src/port/nxp/se050_port.c +++ b/wolfcrypt/src/port/nxp/se050_port.c @@ -269,7 +269,7 @@ int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len byte* tmp = NULL; word32 usedSz = 0; - if (se050Ctx == NULL || (len > 0 && data == NULL) || + if (se050Ctx == NULL || (len > 0 && data == NULL) || (len == 0) || !WC_SAFE_SUM_WORD32(se050Ctx->used, len, usedSz)) { return BAD_FUNC_ARG; } diff --git a/wolfcrypt/src/port/ti/ti-hash.c b/wolfcrypt/src/port/ti/ti-hash.c index d3024fc6d0b..7a025b4bccd 100644 --- a/wolfcrypt/src/port/ti/ti-hash.c +++ b/wolfcrypt/src/port/ti/ti-hash.c @@ -77,7 +77,7 @@ static int hashUpdate(wolfssl_TI_Hash *hash, const byte* data, word32 len) void *p; word32 usedSz = 0; - if ((hash== NULL) || (data == NULL) || + if ((hash == NULL) || (data == NULL) || (len == 0) || !WC_SAFE_SUM_WORD32(hash->used, len, usedSz)) return BAD_FUNC_ARG; From 0b26791168483529881152428da13e1d056b3b9b Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 13 Mar 2026 15:57:12 -0700 Subject: [PATCH 6/6] Code review feedback --- wolfcrypt/src/port/ti/ti-hash.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/port/ti/ti-hash.c b/wolfcrypt/src/port/ti/ti-hash.c index 7a025b4bccd..739f3f5a71c 100644 --- a/wolfcrypt/src/port/ti/ti-hash.c +++ b/wolfcrypt/src/port/ti/ti-hash.c @@ -87,7 +87,8 @@ static int hashUpdate(wolfssl_TI_Hash *hash, const byte* data, word32 len) } else { p = XREALLOC(hash->msg, usedSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); } - if (p == 0)return 1; + if (p == 0) + return MEMORY_E; hash->msg = p; hash->len = usedSz; }