From c32affe350a821f50337ba46e15fd55bb7b29fb4 Mon Sep 17 00:00:00 2001 From: Giovanni Bajo Date: Tue, 20 Sep 2011 11:55:19 +0200 Subject: [PATCH 1/2] Bugfix: fix buffer overflow with comba sqr The comba sqr code does not check the maximum bounds of fp_int; eg: if you invoke fp_sqr_comba_20, it will write 40 digits to the destination even if FP_SIZE < 40. This is correct for achieving high speeds, but it means that it is the caller's responsibility to check for such overflows. fp_sqr.c only checks for numeric overflows (a->used * 2 >= FP_SIZE) though. This means that if you call fp_sqr() with a small number (say 1), and your FP_SIZE is 10, and you have enabled a fp_sqr_comba_8, it will overflow your buffer by writing 16 digits. Since the exact subset of active comba multipliers/sqrs are up to the user (in tfm.h), we fix the code never to invoke them if they can cause overflows. --- src/sqr/fp_sqr.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/src/sqr/fp_sqr.c b/src/sqr/fp_sqr.c index 97dea44..effeb2e 100644 --- a/src/sqr/fp_sqr.c +++ b/src/sqr/fp_sqr.c @@ -21,49 +21,49 @@ void fp_sqr(fp_int *A, fp_int *B) } y = A->used; -#if defined(TFM_SQR3) +#if defined(TFM_SQR3) && FP_SIZE >= 6 if (y <= 3) { fp_sqr_comba3(A,B); return; } #endif -#if defined(TFM_SQR4) +#if defined(TFM_SQR4) && FP_SIZE >= 8 if (y == 4) { fp_sqr_comba4(A,B); return; } #endif -#if defined(TFM_SQR6) +#if defined(TFM_SQR6) && FP_SIZE >= 12 if (y <= 6) { fp_sqr_comba6(A,B); return; } #endif -#if defined(TFM_SQR7) +#if defined(TFM_SQR7) && FP_SIZE >= 14 if (y == 7) { fp_sqr_comba7(A,B); return; } #endif -#if defined(TFM_SQR8) +#if defined(TFM_SQR8) && FP_SIZE >= 16 if (y == 8) { fp_sqr_comba8(A,B); return; } #endif -#if defined(TFM_SQR9) +#if defined(TFM_SQR9) && FP_SIZE >= 18 if (y == 9) { fp_sqr_comba9(A,B); return; } #endif -#if defined(TFM_SQR12) +#if defined(TFM_SQR12) && FP_SIZE >= 24 if (y <= 12) { fp_sqr_comba12(A,B); return; } #endif -#if defined(TFM_SQR17) +#if defined(TFM_SQR17) && FP_SIZE >= 34 if (y <= 17) { fp_sqr_comba17(A,B); return; @@ -75,37 +75,37 @@ void fp_sqr(fp_int *A, fp_int *B) return; } #endif -#if defined(TFM_SQR20) +#if defined(TFM_SQR20) && FP_SIZE >= 40 if (y <= 20) { fp_sqr_comba20(A,B); return; } #endif -#if defined(TFM_SQR24) +#if defined(TFM_SQR24) && FP_SIZE >= 48 if (y <= 24) { fp_sqr_comba24(A,B); return; } #endif -#if defined(TFM_SQR28) +#if defined(TFM_SQR28) && FP_SIZE >= 56 if (y <= 28) { fp_sqr_comba28(A,B); return; } #endif -#if defined(TFM_SQR32) +#if defined(TFM_SQR32) && FP_SIZE >= 64 if (y <= 32) { fp_sqr_comba32(A,B); return; } #endif -#if defined(TFM_SQR48) +#if defined(TFM_SQR48) && FP_SIZE >= 96 if (y <= 48) { fp_sqr_comba48(A,B); return; } #endif -#if defined(TFM_SQR64) +#if defined(TFM_SQR64) && FP_SIZE >= 128 if (y <= 64) { fp_sqr_comba64(A,B); return; @@ -115,6 +115,6 @@ void fp_sqr(fp_int *A, fp_int *B) } -/* $Source$ */ -/* $Revision$ */ -/* $Date$ */ +/* $Source: /cvs/libtom/tomsfastmath/src/sqr/fp_sqr.c,v $ */ +/* $Revision: 1.1 $ */ +/* $Date: 2006/12/31 21:25:53 $ */ From 3f7a1dca3bf60ce72284499e3cd20952d6845179 Mon Sep 17 00:00:00 2001 From: Giovanni Bajo Date: Tue, 20 Sep 2011 12:00:07 +0200 Subject: [PATCH 2/2] Fix for buffer overflows in fp_mul. --- src/mul/fp_mul.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/src/mul/fp_mul.c b/src/mul/fp_mul.c index e0ef99d..4de1e1b 100644 --- a/src/mul/fp_mul.c +++ b/src/mul/fp_mul.c @@ -28,92 +28,92 @@ void fp_mul(fp_int *A, fp_int *B, fp_int *C) if say y=17 then we would do (32-17)^2 = 225 unneeded multiplications */ -#ifdef TFM_MUL3 +#ifdef TFM_MUL3 && FP_SIZE >= 6 if (y <= 3) { fp_mul_comba3(A,B,C); return; } #endif -#ifdef TFM_MUL4 +#ifdef TFM_MUL4 && FP_SIZE >= 8 if (y == 4) { fp_mul_comba4(A,B,C); return; } #endif -#ifdef TFM_MUL6 +#ifdef TFM_MUL6 && FP_SIZE >= 12 if (y <= 6) { fp_mul_comba6(A,B,C); return; } #endif -#ifdef TFM_MUL7 +#ifdef TFM_MUL7 && FP_SIZE >= 14 if (y == 7) { fp_mul_comba7(A,B,C); return; } #endif -#ifdef TFM_MUL8 +#ifdef TFM_MUL8 && FP_SIZE >= 16 if (y == 8) { fp_mul_comba8(A,B,C); return; } #endif -#ifdef TFM_MUL9 +#ifdef TFM_MUL9 && FP_SIZE >= 18 if (y == 9) { fp_mul_comba9(A,B,C); return; } #endif -#ifdef TFM_MUL12 +#ifdef TFM_MUL12 && FP_SIZE >= 24 if (y <= 12) { fp_mul_comba12(A,B,C); return; } #endif -#ifdef TFM_MUL17 +#ifdef TFM_MUL17 && FP_SIZE >= 34 if (y <= 17) { fp_mul_comba17(A,B,C); return; } #endif -#ifdef TFM_SMALL_SET +#ifdef TFM_SMALL_SET && FP_SIZE >= 32 if (y <= 16) { fp_mul_comba_small(A,B,C); return; } #endif -#if defined(TFM_MUL20) +#if defined(TFM_MUL20) && FP_SIZE >= 40 if (y <= 20) { fp_mul_comba20(A,B,C); return; } #endif -#if defined(TFM_MUL24) +#if defined(TFM_MUL24) && FP_SIZE >= 48 if (yy >= 16 && y <= 24) { fp_mul_comba24(A,B,C); return; } #endif -#if defined(TFM_MUL28) +#if defined(TFM_MUL28) && FP_SIZE >= 56 if (yy >= 20 && y <= 28) { fp_mul_comba28(A,B,C); return; } #endif -#if defined(TFM_MUL32) +#if defined(TFM_MUL32) && FP_SIZE >= 64 if (yy >= 24 && y <= 32) { fp_mul_comba32(A,B,C); return; } #endif -#if defined(TFM_MUL48) +#if defined(TFM_MUL48) && FP_SIZE >= 96 if (yy >= 40 && y <= 48) { fp_mul_comba48(A,B,C); return; } #endif -#if defined(TFM_MUL64) +#if defined(TFM_MUL64) && FP_SIZE >= 128 if (yy >= 56 && y <= 64) { fp_mul_comba64(A,B,C); return; @@ -123,6 +123,6 @@ void fp_mul(fp_int *A, fp_int *B, fp_int *C) } -/* $Source$ */ -/* $Revision$ */ -/* $Date$ */ +/* $Source: /cvs/libtom/tomsfastmath/src/mul/fp_mul.c,v $ */ +/* $Revision: 1.1 $ */ +/* $Date: 2006/12/31 21:25:53 $ */