From 3e5b8933f838cc59568cabc727ade62079fd9e9c Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sep 03 2023 18:46:18 +0000
Subject: Fix CVE-2023-36328 (#2236877,#2236878)


The original patch was rewritten so it can be applied on top of
libtommath-0.42.0.

---

diff --git a/CVE-2023-36328.patch b/CVE-2023-36328.patch
new file mode 100644
index 0000000..900214d
--- /dev/null
+++ b/CVE-2023-36328.patch
@@ -0,0 +1,111 @@
+From b725e22731dc8d212ea3b168c077bcf71a0e45f0 Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Sun, 3 Sep 2023 20:42:32 +0200
+Subject: [PATCH] Fix possible integer overflow
+
+Based on the original upstream commit [0] and adapted to the EPEL 7
+version (0.42.0).
+
+[0] https://github.com/libtom/libtommath/commit/7bbc1f8e4fe6dce75055957645117180768efb15
+---
+ bn_mp_2expt.c           | 4 ++++
+ bn_mp_grow.c            | 4 ++++
+ bn_mp_init_size.c       | 4 ++++
+ bn_mp_mul_2d.c          | 4 ++++
+ bn_s_mp_mul_digs.c      | 4 ++++
+ bn_s_mp_mul_high_digs.c | 4 ++++
+ 6 files changed, 24 insertions(+)
+
+diff --git a/bn_mp_2expt.c b/bn_mp_2expt.c
+index 4774aab..e9df9ba 100755
+--- a/bn_mp_2expt.c
++++ b/bn_mp_2expt.c
+@@ -25,6 +25,10 @@ mp_2expt (mp_int * a, int b)
+ {
+   int     res;
+ 
++  if (b < 0) {
++      return MP_VAL;
++  }
++
+   /* zero a as per default */
+   mp_zero (a);
+ 
+diff --git a/bn_mp_grow.c b/bn_mp_grow.c
+index f1c1cab..1a75340 100755
+--- a/bn_mp_grow.c
++++ b/bn_mp_grow.c
+@@ -21,6 +21,10 @@ int mp_grow (mp_int * a, int size)
+   int     i;
+   mp_digit *tmp;
+ 
++  if (size < 0) {
++      return MP_VAL;
++  }
++
+   /* if the alloc size is smaller alloc more ram */
+   if (a->alloc < size) {
+     /* ensure there are always at least MP_PREC digits extra on top */
+diff --git a/bn_mp_init_size.c b/bn_mp_init_size.c
+index 69dd49c..519f51d 100755
+--- a/bn_mp_init_size.c
++++ b/bn_mp_init_size.c
+@@ -20,6 +20,10 @@ int mp_init_size (mp_int * a, int size)
+ {
+   int x;
+ 
++  if (size < 0) {
++      return MP_VAL;
++  }
++
+   /* pad size so there are always extra digits */
+   size += (MP_PREC * 2) - (size % MP_PREC);	
+   
+diff --git a/bn_mp_mul_2d.c b/bn_mp_mul_2d.c
+index 385ac59..99c1945 100755
+--- a/bn_mp_mul_2d.c
++++ b/bn_mp_mul_2d.c
+@@ -21,6 +21,10 @@ int mp_mul_2d (mp_int * a, int b, mp_int * c)
+   mp_digit d;
+   int      res;
+ 
++  if (b < 0) {
++      return MP_VAL;
++  }
++
+   /* copy */
+   if (a != c) {
+      if ((res = mp_copy (a, c)) != MP_OKAY) {
+diff --git a/bn_s_mp_mul_digs.c b/bn_s_mp_mul_digs.c
+index 86196bf..c328185 100755
+--- a/bn_s_mp_mul_digs.c
++++ b/bn_s_mp_mul_digs.c
+@@ -27,6 +27,10 @@ int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
+   mp_word r;
+   mp_digit tmpx, *tmpt, *tmpy;
+ 
++  if (digs < 0) {
++      return MP_VAL;
++  }
++
+   /* can we use the fast multiplier? */
+   if (((digs) < MP_WARRAY) &&
+       MIN (a->used, b->used) < 
+diff --git a/bn_s_mp_mul_high_digs.c b/bn_s_mp_mul_high_digs.c
+index 019014e..8ffae4f 100755
+--- a/bn_s_mp_mul_high_digs.c
++++ b/bn_s_mp_mul_high_digs.c
+@@ -27,6 +27,10 @@ s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
+   mp_word r;
+   mp_digit tmpx, *tmpt, *tmpy;
+ 
++  if (digs < 0) {
++      return MP_VAL;
++  }
++
+   /* can we use the fast multiplier? */
+ #ifdef BN_FAST_S_MP_MUL_HIGH_DIGS_C
+   if (((a->used + b->used + 1) < MP_WARRAY)
+-- 
+2.41.0
+
diff --git a/libtommath.spec b/libtommath.spec
index c29ee3d..5b19385 100644
--- a/libtommath.spec
+++ b/libtommath.spec
@@ -1,12 +1,13 @@
 Name:           libtommath
 Version:        0.42.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        A portable number theoretic multiple-precision integer library
 License:        Public Domain
 URL:            http://www.libtom.net/
 
 Source0:        https://github.com/libtom/%{name}/releases/download/v%{version}/ltm-%{version}.tar.bz2
 Patch0:         %{name}-makefile.patch
+Patch1:         CVE-2023-36328.patch
 
 BuildRequires:  ghostscript
 BuildRequires:  libtool
@@ -51,6 +52,7 @@ The %{name}-doc package contains PDF documentation for using %{name}.
 %prep
 %setup -q
 %patch0 -p1 -b .makefile
+%patch1 -p1
 
 %build
 # no configure script ships with libtommath. Its only requirement is ANSI C.
@@ -91,6 +93,9 @@ find %{buildroot} -name '*.a' -delete
 %doc bn.pdf poster.pdf tommath.pdf
 
 %changelog
+* Sun Sep 03 2023 Frantisek Sumsal <frantisek@sumsal.cz> - 0.42.0-6
+- Fix CVE-2023-36328 (#2236877,#2236878)
+
 * Sun Jun 25 2017 Simone Caronni <negativo17@gmail.com> - 0.42.0-5
 - Update URLs (#1463608, #1463547)