From 4eabfce8c19c7f5f6aa4984e18ec81a4d8b5eb4a Mon Sep 17 00:00:00 2001
From: gaochengxuan <gaochengxuan@bupt.edu.com>
Date: Sat, 6 Dec 2025 18:06:07 +0800
Subject: [PATCH] Fix CVE-2022-37454

---
 Modules/_sha3/kcp/KeccakSponge.inc | 14 ++++++++------
 debian/changelog                   |  7 +++++++
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc
index e10739d..7241010 100644
--- a/Modules/_sha3/kcp/KeccakSponge.inc
+++ b/Modules/_sha3/kcp/KeccakSponge.inc
@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
     i = 0;
     curData = data;
     while(i < dataByteLen) {
-        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+        if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
 #ifdef SnP_FastLoop_Absorb
             /* processing full blocks first */
 
@@ -200,9 +200,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
         else {
             /* normal lane: using the message queue */
 
-            partialBlock = (unsigned int)(dataByteLen - i);
-            if (partialBlock+instance->byteIOIndex > rateInBytes)
+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
                 partialBlock = rateInBytes-instance->byteIOIndex;
+            else
+                partialBlock = (unsigned int)(dataByteLen - i);
             #ifdef KeccakReference
             displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
             #endif
@@ -281,7 +282,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
     i = 0;
     curData = data;
     while(i < dataByteLen) {
-        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
             for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
                 SnP_Permute(instance->state);
                 SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
@@ -299,9 +300,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
                 SnP_Permute(instance->state);
                 instance->byteIOIndex = 0;
             }
-            partialBlock = (unsigned int)(dataByteLen - i);
-            if (partialBlock+instance->byteIOIndex > rateInBytes)
+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
                 partialBlock = rateInBytes-instance->byteIOIndex;
+            else
+                partialBlock = (unsigned int)(dataByteLen - i);
             i += partialBlock;
 
             SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
diff --git a/debian/changelog b/debian/changelog
index 7c7caf2..5a546a1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+python3.10 (3.10.7-ok8) yangtze; urgency=medium
+
+  * Fix CVE-2022-37454: Fix buffer overflow in SHA-3 (Keccak).
+  * 关联Issue: I5ZAGE
+
+ -- Gao Chengxuan <gaochengxuan@bupt.edu.cn>  Sat, 06 Dec 2025 18:00:00 +0800
+
 python3.10 (3.10.7-ok7) yangtze; urgency=medium
 
   * CVE-2022-45061 CVE-2022-42919 安全修复
-- 
Gitee