From 84150d0af193a7ccd733b3c7fa5787f43125cd2d Mon Sep 17 00:00:00 2001
From: Katie Hockman <katie@golang.org>
Date: Tue, 10 Nov 2020 15:54:12 -0500
Subject: [release-branch.go1.15-security] math/big: fix shift for recursive
 division
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous s value could cause a crash
for certain inputs.

Will check in tests and documentation improvements later.

Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this.
Thanks to Rémy Oudompheng and Robert Griesemer for their help
developing and validating the fix.

Fixes CVE-2020-28362

Change-Id: Ibbf455c4436bcdb07c84a34fa6551fb3422356d3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899974
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 28015462c2a83239543dc2bef651e9a5f234b633)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901065
---
 src/math/big/nat.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/math/big/nat.go b/src/math/big/nat.go
index 6a3989bf9d..8c43de69d3 100644
--- a/src/math/big/nat.go
+++ b/src/math/big/nat.go
@@ -928,7 +928,7 @@ func (z nat) divRecursiveStep(u, v nat, depth int, tmp *nat, temps []*nat) {
 
 	// Now u < (v<<B), compute lower bits in the same way.
 	// Choose shift = B-1 again.
-	s := B
+	s := B - 1
 	qhat := *temps[depth]
 	qhat.clear()
 	qhat.divRecursiveStep(u[s:].norm(), v[s:], depth+1, tmp, temps)
-- 
cgit v1.2.3-54-g00ecf