From dd935202c9e41db49bfa1e7082d8f0db5788951a Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Wed, 13 Jun 2018 15:36:06 -0400
Subject: [PATCH] Zero-initialize tmp in ec_GFp_simple_mul_single.

Although the original value of tmp does not matter, the selects
ultimately do bit operations on the uninitialized values and thus depend
on them behaving like *some* consistent concrete value. The C spec
appears to allow uninitialized values to resolve to trap
representations, which means this isn't quite valid..

(If I'm reading it wrong and the compiler must behave as if there were a
consistent value in there, it's probably fine, but there's no sense in
risking compiler bugs on a subtle corner of things.)

Change-Id: Id4547b0ec702414b387e906c4de55595e6214ddb
Reviewed-on: https://boringssl-review.googlesource.com/29124
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 crypto/fipsmodule/ec/simple_mul.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/fipsmodule/ec/simple_mul.c b/crypto/fipsmodule/ec/simple_mul.c
index 394f3199..93ed0a8f 100644
--- a/crypto/fipsmodule/ec/simple_mul.c
+++ b/crypto/fipsmodule/ec/simple_mul.c
@@ -58,6 +58,7 @@ static void ec_GFp_simple_mul_single(const EC_GROUP *group, EC_RAW_POINT *r,
 
       // Select the entry in constant-time.
       EC_RAW_POINT tmp;
+      OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
       for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
         BN_ULONG mask = constant_time_eq_w(j, window);
         ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X);