From bfff28ab282ca94be32d53f72fb8ac692186b891 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Mon, 7 Dec 2020 13:41:21 -0600
Subject: [PATCH] ecc.c: fix mp_init_multi() vs mp_clear() dynamics in
 wc_ecc_verify_hash_ex() and mp_sqrtmod_prime().

---
 wolfcrypt/src/ecc.c | 69 +++++++++++++++++++++++++++------------------
 1 file changed, 41 insertions(+), 28 deletions(-)

diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index 16858511e..e088f1fec 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -6571,8 +6571,9 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
    if (err == MP_OKAY) {
        if ((err = mp_init_multi(v, w, u1, u2, NULL, NULL)) != MP_OKAY) {
           err = MEMORY_E;
+       } else {
+           did_init = 1;
        }
-       did_init = 1;
    }
 
    /* allocate points */
@@ -10801,7 +10802,17 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
   mp_int *T = (mp_int *)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC_BUFFER);
   mp_int *R = (mp_int *)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC_BUFFER);
   mp_int *two = (mp_int *)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC_BUFFER);
+#else
+  mp_int t1[1], C[1], Q[1], S[1], Z[1], M[1], T[1], R[1], two[1];
+#endif
 
+  if ((mp_init_multi(t1, C, Q, S, Z, M) != MP_OKAY) ||
+      (mp_init_multi(T, R, two, NULL, NULL, NULL) != MP_OKAY)) {
+    res = MP_INIT_E;
+    goto out;
+  }
+
+#ifdef WOLFSSL_SMALL_STACK
   if ((t1 == NULL) ||
       (C == NULL) ||
       (Q == NULL) ||
@@ -10814,8 +10825,6 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
     res = MP_MEM;
     goto out;
   }
-#else
-  mp_int t1[1], C[1], Q[1], S[1], Z[1], M[1], T[1], R[1], two[1];
 #endif
 
   /* first handle the simple cases n = 0 or n = 1 */
@@ -10844,13 +10853,6 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
     goto out;
   }
 
-  if ((res = mp_init_multi(t1, C, Q, S, Z, M)) != MP_OKAY)
-    goto out;
-
-  if ((res = mp_init_multi(T, R, two, NULL, NULL, NULL))
-                          != MP_OKAY)
-    goto out;
-
   /* SPECIAL CASE: if prime mod 4 == 3
    * compute directly: res = n^(prime+1)/4 mod prime
    * Handbook of Applied Cryptography algorithm 3.36
@@ -10985,51 +10987,62 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
 
 #ifdef WOLFSSL_SMALL_STACK
   if (t1) {
-    mp_clear(t1);
+    if (res != MP_INIT_E)
+      mp_clear(t1);
     XFREE(t1, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
   if (C) {
-    mp_clear(C);
+    if (res != MP_INIT_E)
+      mp_clear(C);
     XFREE(C, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
   if (Q) {
-    mp_clear(Q);
+    if (res != MP_INIT_E)
+      mp_clear(Q);
     XFREE(Q, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
   if (S) {
-    mp_clear(S);
+    if (res != MP_INIT_E)
+      mp_clear(S);
     XFREE(S, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
   if (Z) {
-    mp_clear(Z);
+    if (res != MP_INIT_E)
+      mp_clear(Z);
     XFREE(Z, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
   if (M) {
-    mp_clear(M);
+    if (res != MP_INIT_E)
+      mp_clear(M);
     XFREE(M, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
   if (T) {
-    mp_clear(T);
+    if (res != MP_INIT_E)
+      mp_clear(T);
     XFREE(T, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
   if (R) {
-    mp_clear(R);
+    if (res != MP_INIT_E)
+      mp_clear(R);
     XFREE(R, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
   if (two) {
-    mp_clear(two);
+    if (res != MP_INIT_E)
+      mp_clear(two);
     XFREE(two, NULL, DYNAMIC_TYPE_ECC_BUFFER);
   }
 #else
-  mp_clear(t1);
-  mp_clear(C);
-  mp_clear(Q);
-  mp_clear(S);
-  mp_clear(Z);
-  mp_clear(M);
-  mp_clear(T);
-  mp_clear(R);
-  mp_clear(two);
+  if (res != MP_INIT_E) {
+    mp_clear(t1);
+    mp_clear(C);
+    mp_clear(Q);
+    mp_clear(S);
+    mp_clear(Z);
+    mp_clear(M);
+    mp_clear(T);
+    mp_clear(R);
+    mp_clear(two);
+  }
 #endif
 
   return res;