From 0d82732a9a16cecc445e61c718ce9bdc2d228e76 Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Fri, 5 Jul 2019 00:30:36 -0400 Subject: [PATCH] Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow. --- src/scalar_low_impl.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/scalar_low_impl.h b/src/scalar_low_impl.h index 5dbc356..910ce3f 100644 --- a/src/scalar_low_impl.h +++ b/src/scalar_low_impl.h @@ -40,6 +40,9 @@ static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int if (flag && bit < 32) *r += ((uint32_t)1 << bit); #ifdef VERIFY + VERIFY_CHECK(bit < 32); + /* Verify that adding (1 << bit) will not overflow any in-range scalar *r by overflowing the underlying uint32_t. */ + VERIFY_CHECK(((uint32_t)1 << bit) - 1 <= UINT32_MAX - EXHAUSTIVE_TEST_ORDER); VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0); #endif }