Commit 2f3704f3b6 for openssl.org

commit 2f3704f3b68485daaba5e9243bb8b13791ea023b
Author: Harry Betts <harrybetts06@proton.me>
Date:   Sat May 9 16:54:52 2026 +1000

    Fix OOB read in EC_GROUP_new_from_params() with zero-length generator

    When OSSL_PKEY_PARAM_EC_GENERATOR is provided as an octet string of
    length 0, buf[0] is read before validating data_size, causing a
    heap-buffer-overflow detectable under ASan.

    Reject zero-length generator octet strings before the dereference.

    CLA: trivial
    Resolves: https://github.com/openssl/openssl/issues/31125
    Fixes: c0f39ded68ba "Add Explicit EC parameter support to providers."

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
    MergeDate: Mon May 11 08:34:15 2026
    (Merged from https://github.com/openssl/openssl/pull/31128)

diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 87cd558e32..51f0457f65 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1731,7 +1731,8 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
     /* generator base point */
     ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_GENERATOR);
     if (ptmp == NULL
-        || ptmp->data_type != OSSL_PARAM_OCTET_STRING) {
+        || ptmp->data_type != OSSL_PARAM_OCTET_STRING
+        || ptmp->data_size == 0) {
         ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR);
         goto err;
     }