From 4be72c979c25ef7a35279c68aa406fff98d172f8 Mon Sep 17 00:00:00 2001
From: fly_fzc <2385803914@qq.com>
Date: Mon, 4 Sep 2023 09:09:30 +0800
Subject: [PATCH] Fix CVE-2023-36328

(cherry picked from commit 2765e90fb9cdbc2c4aafb3e5a18b7b862008bff2)
---
 ...-36328-Fix-possible-integer-overflow.patch | 139 ++++++++++++++++++
 libtommath.spec                               |   7 +-
 2 files changed, 145 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-36328-Fix-possible-integer-overflow.patch

diff --git a/backport-CVE-2023-36328-Fix-possible-integer-overflow.patch b/backport-CVE-2023-36328-Fix-possible-integer-overflow.patch
new file mode 100644
index 0000000..6b4434e
--- /dev/null
+++ b/backport-CVE-2023-36328-Fix-possible-integer-overflow.patch
@@ -0,0 +1,139 @@
+From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
+From: czurnieden <czurnieden@gmx.de>
+Date: Tue, 9 May 2023 17:17:12 +0200
+Subject: [PATCH] Fix possible integer overflow
+
+---
+ bn_mp_2expt.c                | 4 ++++
+ bn_mp_grow.c                 | 4 ++++
+ bn_mp_init_size.c            | 4 ++++
+ bn_mp_mul_2d.c               | 4 ++++
+ bn_s_mp_mul_digs.c           | 4 ++++
+ bn_fast_s_mp_mul_digs.c      | 4 ++++
+ bn_s_mp_mul_high_digs.c      | 4 ++++
+ bn_fast_s_mp_mul_high_digs.c | 4 ++++
+ 8 files changed, 32 insertions(+)
+
+diff --git a/bn_mp_2expt.c b/bn_mp_2expt.c
+index 0ae3df1..23de0c3 100644
+--- a/bn_mp_2expt.c
++++ b/bn_mp_2expt.c
+@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
+ {
+    int     res;
+ 
++   if (b < 0) {
++      return MP_VAL;
++   }
++
+    /* zero a as per default */
+    mp_zero(a);
+ 
+diff --git a/bn_mp_grow.c b/bn_mp_grow.c
+index 9e904c5..2b16826 100644
+--- a/bn_mp_grow.c
++++ b/bn_mp_grow.c
+@@ -9,6 +9,10 @@ int mp_grow(mp_int *a, int size)
+    int     i;
+    mp_digit *tmp;
+ 
++   if (size < 0) {
++      return MP_VAL;
++   }
++
+    /* if the alloc size is smaller alloc more ram */
+    if (a->alloc < size) {
+       /* ensure there are always at least MP_PREC digits extra on top */
+diff --git a/bn_mp_init_size.c b/bn_mp_init_size.c
+index d622687..9957383 100644
+--- a/bn_mp_init_size.c
++++ b/bn_mp_init_size.c
+@@ -6,6 +6,10 @@
+ int mp_init_size(mp_int *a, int size)
+ {
+    int x;
++
++   if (size < 0) {
++      return MP_VAL;
++   }
+ 
+    /* pad size so there are always extra digits */
+    size += (MP_PREC * 2) - (size % MP_PREC);
+diff --git a/bn_mp_mul_2d.c b/bn_mp_mul_2d.c
+index 87354de..bfeaf2e 100644
+--- a/bn_mp_mul_2d.c
++++ b/bn_mp_mul_2d.c
+@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c)
+    mp_digit d;
+    int      res;
+ 
++   if (b < 0) {
++      return MP_VAL;
++   }
++
+    /* copy */
+    if (a != c) {
+       if ((res = mp_copy(a, c)) != MP_OKAY) {
+diff --git a/bn_s_mp_mul_digs.c b/bn_s_mp_mul_digs.c
+index 64509d4..3682b49 100644
+--- a/bn_s_mp_mul_digs.c
++++ b/bn_s_mp_mul_digs.c
+@@ -16,6 +16,10 @@ int s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
+    mp_word r;
+    mp_digit tmpx, *tmpt, *tmpy;
+ 
++   if (digs < 0) {
++      return MP_VAL;
++   }
++
+    /* can we use the fast multiplier? */
+    if ((digs < (int)MP_WARRAY) &&
+        (MIN(a->used, b->used) <
+diff --git a/bn_fast_s_mp_mul_digs.c b/bn_fast_s_mp_mul_digs.c
+index b2a287b..3c4176a 100644
+--- a/bn_fast_s_mp_mul_digs.c
++++ b/bn_fast_s_mp_mul_digs.c
+@@ -26,6 +26,10 @@ int fast_s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
+    mp_digit W[MP_WARRAY];
+    mp_word  _W;
+ 
++   if (digs < 0) {
++      return MP_VAL;
++   }
++
+    /* grow the destination as required */
+    if (c->alloc < digs) {
+       if ((res = mp_grow(c, digs)) != MP_OKAY) {
+diff --git a/bn_s_mp_mul_high_digs.c b/bn_s_mp_mul_high_digs.c
+index 2bb2a50..c9dd355 100644
+--- a/bn_s_mp_mul_high_digs.c
++++ b/bn_s_mp_mul_high_digs.c
+@@ -15,6 +15,10 @@ int s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
+    mp_word r;
+    mp_digit tmpx, *tmpt, *tmpy;
+ 
++   if (digs < 0) {
++      return MP_VAL;
++   }
++
+    /* can we use the fast multiplier? */
+ #ifdef BN_FAST_S_MP_MUL_HIGH_DIGS_C
+    if (((a->used + b->used + 1) < (int)MP_WARRAY)
+diff --git a/bn_fast_s_mp_mul_high_digs.c b/bn_fast_s_mp_mul_high_digs.c
+index a2c4fb6..4ce7f59 100644
+--- a/bn_fast_s_mp_mul_high_digs.c
++++ b/bn_fast_s_mp_mul_high_digs.c
+@@ -19,6 +19,10 @@ int fast_s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int
+    mp_digit W[MP_WARRAY];
+    mp_word  _W;
+ 
++   if (digs < 0) {
++      return MP_VAL;
++   }
++
+    /* grow the destination as required */
+    pa = a->used + b->used;
+    if (c->alloc < pa) {
+-- 
+2.27.0
+
diff --git a/libtommath.spec b/libtommath.spec
index 5e562b7..3db4bc2 100644
--- a/libtommath.spec
+++ b/libtommath.spec
@@ -1,12 +1,14 @@
 Name:           libtommath
 Version:        1.1.0
-Release:        3
+Release:        4
 Summary:        A portable number theoretic multiple-precision integer library.
 License:        Public Domain
 URL:            http://www.libtom.net/
 
 Source0:        https://github.com/libtom/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
+Patch0:         backport-CVE-2023-36328-Fix-possible-integer-overflow.patch
+
 BuildRequires:  ghostscript libtiff libtool git texlive-dvips-bin ghostscript-tools-dvipdf
 BuildRequires:  texlive-latex-bin-bin texlive-makeindex-bin texlive-mfware-bin TeXamator git
 BuildRequires:  tex(cmr10.tfm) tex(fancyhdr.sty) tex(hyphen.tex) texlive-metafont-bin
@@ -72,6 +74,9 @@ rm -f demo/*.o
 %doc doc/bn.pdf doc/poster.pdf doc/tommath.pdf
 
 %changelog
+* Mon Sep 04 2023 fuanan <fuanan3@h-partners.com> - 1.1.0-4
+- Fix CVE-2023-36328
+
 * Wed Mar 29 2023 fuanan <fuanan3@h-partners.com> - 1.1.0-3
 - enable check test suite