From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Sun, 18 Jul 2021 07:48:19 +0000 (+0200)
Subject: Blake2b, Poly1305: fixed undefined behaviour
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=8680b35431eff36439c633e8e295bd1491808741;p=Monocypher.git

Blake2b, Poly1305: fixed undefined behaviour

Caugth by TIS-CI and the latest Clang's UBSan.
Incrementing a NULL pointer, even by a NULL offset, is not permitted.
This was caused by the removal of a conditional that exited early if the
message was empty.
The fix was to move the increment inside the alignment loop.

It may be tiny bit slower, but this was the slow path already.
Users can avoid it by aligning their increments to block boundaries.
---

diff --git a/src/monocypher.c b/src/monocypher.c
index a951e58..af4c2e2 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -389,10 +389,10 @@ void crypto_poly1305_update(crypto_poly1305_ctx *ctx,
     // Align ourselves with block boundaries
     size_t aligned = MIN(align(ctx->c_idx, 16), message_size);
     FOR (i, 0, aligned) {
-        poly_take_input(ctx, message[i]);
+        poly_take_input(ctx, *message);
+        message++;
+        message_size--;
     }
-    message      += aligned;
-    message_size -= aligned;
 
     // If block is complete, process it and clear input
     if (ctx->c_idx == 16) {
@@ -583,11 +583,11 @@ void crypto_blake2b_update(crypto_blake2b_ctx *ctx,
     // The block that may result is not compressed yet
     size_t aligned = MIN(align(ctx->input_idx, 128), message_size);
     FOR (i, 0, aligned) {
-        blake2b_set_input(ctx, message[i], ctx->input_idx);
+        blake2b_set_input(ctx, *message, ctx->input_idx);
         ctx->input_idx++;
+        message++;
+        message_size--;
     }
-    message      += aligned;
-    message_size -= aligned;
 
     // Process the message block by block
     // The last block is not compressed yet.