From 3a8b1770f777369735a2c00ec31f92e2514b71d2 Mon Sep 17 00:00:00 2001
From: Scott <scott@elyanlabs.ai>
Date: Mon, 16 Mar 2026 12:37:33 -0500
Subject: [PATCH] Fix integer overflow in hash keep and TI hash update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both _wc_Hash_Grow() and hashUpdate() compute buffer sizes via
unchecked addition of used + inSz/len. If used is near UINT32_MAX,
the sum wraps to a small value, causing a small allocation followed
by a large memcpy — a heap buffer overflow.

Fix: use WC_SAFE_SUM_WORD32() to check for overflow before the
addition, consistent with the fix applied in #9954 for SE050.

Affects:
- wolfcrypt/src/hash.c: _wc_Hash_Grow() (WOLFSSL_HASH_KEEP)
- wolfcrypt/src/port/ti/ti-hash.c: hashUpdate() (WOLFSSL_TI_HASH)

Fixes #9955

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 wolfcrypt/src/hash.c            | 13 +++++++++----
 wolfcrypt/src/port/ti/ti-hash.c | 12 ++++++++----
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c
index e82c6f6ac32..4a6834e1a63 100644
--- a/wolfcrypt/src/hash.c
+++ b/wolfcrypt/src/hash.c
@@ -1954,12 +1954,17 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
 int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in,
                         int inSz, void* heap)
 {
-    if (*len < *used + inSz) {
+    word32 newSz;
+
+    if (!WC_SAFE_SUM_WORD32(*used, (word32)inSz, newSz)) {
+        return BUFFER_E;
+    }
+    if (*len < newSz) {
         if (*msg == NULL) {
-            *msg = (byte*)XMALLOC(*used + inSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+            *msg = (byte*)XMALLOC(newSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
         }
         else {
-            byte* pt = (byte*)XREALLOC(*msg, *used + inSz, heap,
+            byte* pt = (byte*)XREALLOC(*msg, newSz, heap,
                     DYNAMIC_TYPE_TMP_BUFFER);
             if (pt == NULL) {
                 return MEMORY_E;
@@ -1969,7 +1974,7 @@ int _wc_Hash_Grow(byte** msg, word32* used, word32* len, const byte* in,
         if (*msg == NULL) {
             return MEMORY_E;
         }
-        *len = *used + inSz;
+        *len = newSz;
     }
     XMEMCPY(*msg + *used, in, inSz);
     *used += inSz;
diff --git a/wolfcrypt/src/port/ti/ti-hash.c b/wolfcrypt/src/port/ti/ti-hash.c
index 4cd18440bf3..365084a8517 100644
--- a/wolfcrypt/src/port/ti/ti-hash.c
+++ b/wolfcrypt/src/port/ti/ti-hash.c
@@ -75,18 +75,22 @@ static int hashInit(wolfssl_TI_Hash *hash)
 static int hashUpdate(wolfssl_TI_Hash *hash, const byte* data, word32 len)
 {
     void *p;
+    word32 newSz;
 
     if ((hash== NULL) || (data == NULL))return BAD_FUNC_ARG;
 
-    if (hash->len < hash->used+len) {
+    if (!WC_SAFE_SUM_WORD32(hash->used, len, newSz)) {
+        return BAD_FUNC_ARG;
+    }
+    if (hash->len < newSz) {
         if (hash->msg == NULL) {
-            p = XMALLOC(hash->used+len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            p = XMALLOC(newSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         } else {
-            p = XREALLOC(hash->msg, hash->used+len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            p = XREALLOC(hash->msg, newSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         }
         if (p == 0)return 1;
         hash->msg = p;
-        hash->len = hash->used+len;
+        hash->len = newSz;
     }
     XMEMCPY(hash->msg+hash->used, data, len);
     hash->used += len;