ecc: Check the input length for the point.

* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
of valid point representation.

--

In the use case of GnuPG, ECDH decryption for anonymous recipient may
try to decrypt with different curves.  When the input data of
ephemeral key does not match one of the private key, it should return
GPG_ERR_INV_OBJ.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 060c378c050e7ec6206358c681a313d6e1967dcf)
(cherry picked from commit 5f814e8a4968c01a7ffc7762bcaf3ce040594caf)
GnuPG-bug-id: 5423

1 files changed, 8 insertions, 1 deletions

diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
index d4241190..37b4fa1b 100644
--- a/cipher/ecc-misc.c
+++ b/cipher/ecc-misc.c
@@ -411,12 +411,14 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ec, mpi_point_t result)
         return GPG_ERR_INV_OBJ;
       rawmpilen = (rawmpilen + 7)/8;
 
-      if (rawmpilen > nbytes
+      if (rawmpilen == nbytes + 1
           && (buf[0] == 0x00 || buf[0] == 0x40))
         {
           rawmpilen--;
           buf++;
         }
+      else if (rawmpilen > nbytes)
+        return GPG_ERR_INV_OBJ;
 
       rawmpi = xtrymalloc (nbytes);
       if (!rawmpi)
@@ -434,6 +436,11 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ec, mpi_point_t result)
       rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
       if (!rawmpi)
         return gpg_err_code_from_syserror ();
+      if (rawmpilen > nbytes + BYTES_PER_MPI_LIMB)
+        {
+          xfree (rawmpi);
+          return GPG_ERR_INV_OBJ;
+        }
       /*
        * When we have the prefix (0x40 or 0x00), it comes at the end,
        * since it is taken by _gcry_mpi_get_buffer with little endian.