Ensure se050Ctx->used does not overflow in se050_hash_update.

kareem-wolfssl · kareem-wolfssl · commit 091016a149ef · 2026-03-13T15:57:18.000-07:00
Thanks to Arjuna Arya for the report. Fixes #9951.
diff --git a/wolfcrypt/src/port/nxp/se050_port.c b/wolfcrypt/src/port/nxp/se050_port.c
@@ -266,9 +266,11 @@ int se050_hash_copy(SE050_HASH_Context* src, SE050_HASH_Context* dst)
 
 int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len)
 {
-        byte* tmp = NULL;
+    byte* tmp = NULL;
+    word32 tmpSz = 0;
 
-    if (se050Ctx == NULL || (len > 0 && data == NULL)) {
+    if (se050Ctx == NULL || (len > 0 && data == NULL) ||
+        !WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) {
         return BAD_FUNC_ARG;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -266,9 +266,11 @@ int se050_hash_copy(SE050_HASH_Context* src, SE050_HASH_Context* dst)`
`266`	`266`
`267`	`267`	`int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len)`
`268`	`268`	`{`
`269`		`- byte* tmp = NULL;`
	`269`	`+ byte* tmp = NULL;`
	`270`	`+ word32 tmpSz = 0;`
`270`	`271`
`271`		`- if (se050Ctx == NULL \|\| (len > 0 && data == NULL)) {`
	`272`	`+ if (se050Ctx == NULL \|\| (len > 0 && data == NULL) \|\|`
	`273`	`+ !WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) {`
`272`	`274`	`return BAD_FUNC_ARG;`
`273`	`275`	`}`
`274`	`276`