From ae25bb043c140ccfc6b6c2c0e523a062a966a275 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 9 Jun 2022 19:32:46 +0200
Subject: [PATCH] Fix null pointer dereference in mpi_mod_int(0, 2)

Fix a null pointer dereference when performing some operations on zero
represented with 0 limbs: mbedtls_mpi_mod_int() dividing by 2, or
mbedtls_mpi_write_string() in base 2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/bignum-0-mod-2.txt   |  4 ++++
 library/bignum.c                 |  2 +-
 tests/suites/test_suite_mpi.data | 12 ++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 ChangeLog.d/bignum-0-mod-2.txt

diff --git a/ChangeLog.d/bignum-0-mod-2.txt b/ChangeLog.d/bignum-0-mod-2.txt
new file mode 100644
index 000000000..55e53e5ff
--- /dev/null
+++ b/ChangeLog.d/bignum-0-mod-2.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix a null pointer dereference when performing some operations on zero
+     represented with 0 limbs: mbedtls_mpi_mod_int() dividing by 2, or
+     mbedtls_mpi_write_string() in base 2.
diff --git a/library/bignum.c b/library/bignum.c
index f06eff09b..7c0033ebd 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1785,7 +1785,7 @@ int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_
     /*
      * handle trivial cases
      */
-    if( b == 1 )
+    if( b == 1 || A->n == 0 )
     {
         *r = 0;
         return( 0 );
diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data
index 02a11c894..056310ad7 100644
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -67,12 +67,18 @@ mpi_read_write_string:16:"":16:"":4:0:0
 Test mpi_read_write_string #9 (Empty MPI hex -> dec)
 mpi_read_write_string:16:"":10:"0":4:0:0
 
+Test mpi_read_write_string #9 (Empty MPI hex -> base 2)
+mpi_read_write_string:16:"":2:"0":4:0:0
+
 Test mpi_read_write_string #8 (Empty MPI dec -> hex)
 mpi_read_write_string:10:"":16:"":4:0:0
 
 Test mpi_read_write_string #9 (Empty MPI dec -> dec)
 mpi_read_write_string:10:"":10:"0":4:0:0
 
+Test mpi_read_write_string #9 (Empty MPI dec -> base 2)
+mpi_read_write_string:16:"":2:"0":4:0:0
+
 Test mpi_write_string #10 (Negative hex with odd number of digits)
 mpi_read_write_string:16:"-1":16:"":3:0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
 
@@ -1216,9 +1222,15 @@ mbedtls_mpi_mod_int:10:"1000":2:0:0
 Test mbedtls_mpi_mod_int: 0 (null) % 1
 mbedtls_mpi_mod_int:16:"":1:0:0
 
+Test mbedtls_mpi_mod_int: 0 (null) % 2
+mbedtls_mpi_mod_int:16:"":2:0:0
+
 Test mbedtls_mpi_mod_int: 0 (null) % -1
 mbedtls_mpi_mod_int:16:"":-1:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 
+Test mbedtls_mpi_mod_int: 0 (null) % -2
+mbedtls_mpi_mod_int:16:"":-2:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+
 Base test mbedtls_mpi_exp_mod #1
 mbedtls_mpi_exp_mod:10:"23":10:"13":10:"29":10:"24":0