ecc: fix double-free in wc_ecc_import_point_der_ex on invalid format byte#10592
Open
MarkAtwood wants to merge 1 commit into
Open
ecc: fix double-free in wc_ecc_import_point_der_ex on invalid format byte#10592MarkAtwood wants to merge 1 commit into
MarkAtwood wants to merge 1 commit into
Conversation
…byte wc_ecc_import_point_der_ex crashed (double-free/SIGABRT) when given a full-length EC point blob with an invalid first byte (0x01, 0x05, 0xFF, etc.). The function fell through to code paths that partially initialized state, then the cleanup path freed already-freed memory. Add early validation of the format byte and fix cleanup paths to prevent double-free on error.
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a crash (double-free/SIGABRT) in wc_ecc_import_point_der_ex() when importing an EC point whose first/format byte is invalid, by validating the format byte before any mp_clear() / mp_init_*() operations touch the destination point.
Changes:
- Validate the point format byte (
0x02,0x03,0x04) immediately after basic argument/length checks. - Return
ASN_PARSE_Eearly on invalid format byte, avoiding mutation/cleanup ofpointstate. - Remove the later (post-init) point-type validation and rely on the earlier check.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
Jenkins retest this please |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wc_ecc_import_point_der_excrashes (double-free/SIGABRT) when given a full-length EC point blob with an invalid first byte (e.g.0x01,0x05,0xFF). The format byte check happened aftermp_clear(point->x/y)and memory initialization, so on error the cleanup path freed already-freed memory.Fix
Move the format byte validation (
0x02,0x03, or0x04) before any memory operations (mp_clear,mp_init). ReturnASN_PARSE_Eimmediately on invalid format byte, before any state is touched.Reproducer
Call
wc_ecc_import_point_der_exwith a buffer whose first byte is0x05(or any value other than0x02,0x03,0x04). Before this fix it crashes; after, it returnsASN_PARSE_E.Test Plan
0x01,0x05,0xFF) returnsASN_PARSE_Ewithout crash0x04) and compressed (0x02,0x03) points still import correctly