From a992480f91b83e10b88e7dcf3a4a8ae4807d05fb Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Thu, 1 Jul 2021 14:50:44 +1000
Subject: [PATCH] ECC: validate ordinate length before export

---
 wolfcrypt/src/ecc.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index fb4774b39..e96369bfc 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -7605,6 +7605,12 @@ int wc_ecc_export_point_der(const int curve_idx, ecc_point* point, byte* out,
         return BUFFER_E;
     }
 
+    /* Sanity check the ordinates' sizes. */
+    if (((word32)mp_unsigned_bin_size(point->x) > numlen) ||
+        ((word32)mp_unsigned_bin_size(point->y) > numlen)) {
+        return ECC_BAD_ARG_E;
+    }
+
     /* store byte point type */
     out[0] = ECC_POINT_UNCOMP;
 
@@ -7676,6 +7682,11 @@ int wc_ecc_export_point_der_compressed(const int curve_idx, ecc_point* point,
         return BUFFER_E;
     }
 
+    /* Sanity check the ordinate's size. */
+    if ((word32)mp_unsigned_bin_size(point->x) > numlen) {
+        return ECC_BAD_ARG_E;
+    }
+
     /* store byte point type */
     out[0] = mp_isodd(point->y) == MP_YES ? ECC_POINT_COMP_ODD :
                                             ECC_POINT_COMP_EVEN;