Fix potential overflows in two additional hash functions.

kareem-wolfssl · kareem-wolfssl · commit d205fcac8760 · 2026-03-13T15:57:18.000-07:00
Thanks to Arjuna Arya for the report. Fixes #9955.
diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c
@@ -1954,6 +1954,11 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
 int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in,
                         int inSz, void* heap)
 {
+    word32 tmpSz = 0;
+
+    if (!WC_SAFE_SUM_WORD32(*used, inSz, tmpSz))
+        return BAD_FUNC_ARG;
+
     if (*len < *used + inSz) {
         if (*msg == NULL) {
             *msg = (byte*)XMALLOC(*used + inSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
diff --git a/wolfcrypt/src/port/ti/ti-hash.c b/wolfcrypt/src/port/ti/ti-hash.c
@@ -75,8 +75,11 @@ static int hashInit(wolfssl_TI_Hash *hash)
 static int hashUpdate(wolfssl_TI_Hash *hash, const byte* data, word32 len)
 {
     void *p;
+    word32 tmpSz = 0;
 
-    if ((hash== NULL) || (data == NULL))return BAD_FUNC_ARG;
+    if ((hash== NULL) || (data == NULL) ||
+        !WC_SAFE_SUM_WORD32(hash->used, len, tmpSz))
+        return BAD_FUNC_ARG;
 
     if (hash->len < hash->used+len) {
         if (hash->msg == NULL) {
