Fix undefined behavior with the most negative mbedtls_mpi_sint
When x is the most negative value of a two's complement type,
`(unsigned_type)(-x)` has undefined behavior, whereas `-(unsigned_type)x`
has well-defined behavior and does what was intended.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/bignum.c b/library/bignum.c
index 497ccbc..04aca69 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -263,7 +263,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
memset( X->p, 0, X->n * ciL );
- X->p[0] = ( z < 0 ) ? -z : z;
+ X->p[0] = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z;
X->s = ( z < 0 ) ? -1 : 1;
cleanup:
@@ -853,7 +853,7 @@
mbedtls_mpi_uint p[1];
MPI_VALIDATE_RET( X != NULL );
- *p = ( z < 0 ) ? -z : z;
+ *p = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z;
Y.s = ( z < 0 ) ? -1 : 1;
Y.n = 1;
Y.p = p;
@@ -1057,7 +1057,7 @@
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( A != NULL );
- p[0] = ( b < 0 ) ? -b : b;
+ p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
B.s = ( b < 0 ) ? -1 : 1;
B.n = 1;
B.p = p;
@@ -1075,7 +1075,7 @@
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( A != NULL );
- p[0] = ( b < 0 ) ? -b : b;
+ p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
B.s = ( b < 0 ) ? -1 : 1;
B.n = 1;
B.p = p;
@@ -1413,7 +1413,7 @@
mbedtls_mpi_uint p[1];
MPI_VALIDATE_RET( A != NULL );
- p[0] = ( b < 0 ) ? -b : b;
+ p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
B.s = ( b < 0 ) ? -1 : 1;
B.n = 1;
B.p = p;