From 8254112c9b43ca5db5a042eb290e4a400bcd49fa Mon Sep 17 00:00:00 2001
From: jordan <jordan@wolfssl.com>
Date: Tue, 18 Apr 2023 10:51:38 -0500
Subject: [PATCH] Fix out-of-bounds write in fp_mod_2d.

---
 wolfcrypt/src/tfm.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c
index aa4b441d8..fe8f5bffe 100644
--- a/wolfcrypt/src/tfm.c
+++ b/wolfcrypt/src/tfm.c
@@ -1010,6 +1010,13 @@ void fp_mod_2d(fp_int *a, int b, fp_int *c)
    }
 
    bmax = ((unsigned int)b + DIGIT_BIT - 1) / DIGIT_BIT;
+
+   /* If a is negative and bmax is larger than FP_SIZE, then the
+    * result can't fit within c. Just return. */
+   if (c->sign == FP_NEG && bmax > FP_SIZE) {
+      return;
+   }
+
   /* zero digits above the last digit of the modulus */
    for (x = bmax; x < (unsigned int)c->used; x++) {
     c->dp[x] = 0;