Zero-initialize tmp in ec_GFp_simple_mul_single.

Although the original value of tmp does not matter, the selects
ultimately do bit operations on the uninitialized values and thus depend
on them behaving like *some* consistent concrete value. The C spec
appears to allow uninitialized values to resolve to trap
representations, which means this isn't quite valid..

(If I'm reading it wrong and the compiler must behave as if there were a
consistent value in there, it's probably fine, but there's no sense in
risking compiler bugs on a subtle corner of things.)

Change-Id: Id4547b0ec702414b387e906c4de55595e6214ddb
Reviewed-on: https://boringssl-review.googlesource.com/29124
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2018-06-13 15:36:06 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 6ff2ba80b7
commit dd935202c9

View File

@ -58,6 +58,7 @@ static void ec_GFp_simple_mul_single(const EC_GROUP *group, EC_RAW_POINT *r,
// Select the entry in constant-time. // Select the entry in constant-time.
EC_RAW_POINT tmp; EC_RAW_POINT tmp;
OPENSSL_memset(&tmp, 0, sizeof(EC_RAW_POINT));
for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) { for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {
BN_ULONG mask = constant_time_eq_w(j, window); BN_ULONG mask = constant_time_eq_w(j, window);
ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X); ec_felem_select(group, &tmp.X, mask, &precomp[j].X, &tmp.X);