From 0ecb81e74ab9cef8f0a61c010945d3d85d38b8d2 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Thu, 28 Oct 2021 14:18:22 -0700
Subject: [PATCH] wc_scrypt: Check for underflow in blocksSz calculation.

---
 wolfcrypt/src/pwdbased.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c
index e5715fd5a..9b6a16f0f 100644
--- a/wolfcrypt/src/pwdbased.c
+++ b/wolfcrypt/src/pwdbased.c
@@ -566,6 +566,11 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
  */
 #define R(a, b) rotlFixed(a, b)
 
+/* (2^32 - 1) */
+#define WORD32_MAX 4294967295
+/* (2^32 - 1) * 32, used in a couple of scrypt max calculations. */
+#define SCRYPT_MAX 137438953440
+
 /* One round of Salsa20/8.
  * Code taken from RFC 7914: scrypt PBKDF.
  *
@@ -755,7 +760,15 @@ int wc_scrypt(byte* output, const byte* passwd, int passLen,
     if (cost < 1 || cost >= 128 * blockSize / 8 || parallel < 1 || dkLen < 1)
         return BAD_FUNC_ARG;
 
+    if (parallel > (SCRYPT_MAX / (128 * blockSize)))
+        return BAD_FUNC_ARG;
+
+    if (blockSize > (WORD32_MAX / 128))
+        return BAD_FUNC_ARG;
+
     bSz = 128 * blockSize;
+    if (parallel > (WORD32_MAX / bSz))
+        return BAD_FUNC_ARG;
     blocksSz = bSz * parallel;
     blocks = (byte*)XMALLOC(blocksSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (blocks == NULL) {