From 778da03f0d80c751a45fc3249d05a2859c4ddfcd Mon Sep 17 00:00:00 2001
From: Daniel Schadt <kingdread@gmx.de>
Date: Wed, 9 Apr 2025 09:19:19 +0200
Subject: fix overflow for long messages

---
 src/lib.rs | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

(limited to 'src/lib.rs')

diff --git a/src/lib.rs b/src/lib.rs
index 8b4a5e6..06eb7cd 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -216,7 +216,7 @@ fn encrypt(key: &Key, nonce: &[u8], ad: &[&[u8]], tau: u32, message: &[u8]) -> V
         .chain(iter::repeat_n(0, tau as usize))
         .collect::<Vec<_>>();
     // We treat tau as bytes, but according to the spec, tau is actually in bits.
-    let tau_block = Block::from_int(tau * 8);
+    let tau_block = Block::from_int(tau as u128 * 8);
     let mut tweaks = vec![&tau_block.0, nonce];
     tweaks.extend(ad);
     if message.is_empty() {
@@ -647,10 +647,10 @@ fn e(j: i32, i: i32, key: &Key, block: Block) -> Block {
         aes10(&k, &(block ^ delta))
     } else {
         let k = [&Block::NULL, &key_j, &key_i, &key_l, &Block::NULL];
-        let exponent = if i % 8 == 0 { i / 8 } else { i / 8 + 1 };
         let j: u32 = j.try_into().expect("j was negative");
         let i: u32 = i.try_into().expect("i was negative");
-        let delta = (key_j * j) ^ (key_i * (1 << exponent)) ^ (key_l * (i % 8));
+        let exponent = if i % 8 == 0 { i / 8 } else { i / 8 + 1 };
+        let delta = (key_j * j) ^ key_i.exp(exponent) ^ (key_l * (i % 8));
         aes4(&k, &(block ^ delta))
     }
 }
@@ -793,4 +793,16 @@ mod test {
         assert!(aez.decrypt(&[0], &[b"foobar"], 16, &hash).is_some());
         assert!(aez.decrypt(&[0], &[b"boofar"], 16, &hash).is_none());
     }
+
+    #[test]
+    fn test_fuzzed_1() {
+        let aez = Aez::new(b"");
+        aez.encrypt(b"", &[], 2220241, &[0]);
+    }
+
+    #[test]
+    fn test_fuzzed_2() {
+        let aez = Aez::new(b"");
+        aez.encrypt(b"", &[], 673261693, &[]);
+    }
 }
-- 
cgit v1.2.3