From 9acb0b54f55caafbb0d5ec603238832ffac573f2 Mon Sep 17 00:00:00 2001
Message-Id: <9acb0b54f55caafbb0d5ec603238832ffac573f2.1716248665.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Sun, 28 May 2017 19:03:08 +0100
Subject: [PATCH] ec.c: Fix embarrassing use-after-free in EC point hashing.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

The hashed data is sometimes (unpredictably) mangled by freeing causing
hash mismatches, which is annoying.  Also, obviously incorrect.
---
 ec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ec.c b/ec.c
index 0489bc0..c603489 100644
--- a/ec.c
+++ b/ec.c
@@ -204,8 +204,8 @@ static long ecpt_pyhash(PyObject *me)
   EC_OUT(ECPT_C(me), &p, ECPT_P(me));
   ec_putraw(ECPT_C(me), &b, &p);
   EC_DESTROY(&p);
-  xfree(q);
   h = unihash_hash(&unihash_global, h, BBASE(&b), BLEN(&b));
+  xfree(q);
   return (h % LONG_MAX);
 }
 
-- 
[mdw]