Zero-initialize tmp in ec_GFp_simple_mul_single.

Although the original value of tmp does not matter, the selects ultimately do bit operations on the uninitialized values and thus depend on them behaving like *some* consistent concrete value. The C spec appears to allow uninitialized values to resolve to trap representations, which means this isn't quite valid.. (If I'm reading it wrong and the compiler must behave as if there were a consistent value in there, it's probably fine, but there's no sense in risking compiler bugs on a subtle corner of things.) Change-Id: Id4547b0ec702414b387e906c4de55595e6214ddb Reviewed-on: https://boringssl-review.googlesource.com/29124 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-06-13 15:36:06 -04:00 · 2018-06-13 15:36:06 -04:00 · dd935202c9
commit dd935202c9
parent 6ff2ba80b7
1 changed files with 1 additions and 0 deletions
--- a/crypto/fipsmodule/ec/simple_mul.c
+++ b/crypto/fipsmodule/ec/simple_mul.c
@ -58,6 +58,7 @@ static void ec_GFp_simple_mul_single(const EC_GROUP *group, EC_RAW_POINT *r,

      // Select the entry in constant-time.
      EC_RAW_POINT tmp;
+      OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
      for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
        BN_ULONG mask = constant_time_eq_w(j, window);
        ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X);