extra: initialize receiver in MultiScalarMult

FiloSottile · FiloSottile · commit d1c650afb95f · 2026-02-17T17:50:01.000+01:00
(*Point).MultiScalarMult failed to initialize its receiver. If the method is called on an initialized point that is not the identity point, MultiScalarMult produces an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every point. This was independently reported by @WeebDataHoarder and @shaharcohen1. Fixes CVE-2026-26958 Fixes GHSA-fw7p-63qq-7hpr
diff --git a/edwards25519_test.go b/edwards25519_test.go
@@ -18,6 +18,9 @@ var I = NewIdentityPoint()
 func checkOnCurve(t *testing.T, points ...*Point) {
 	t.Helper()
 	for i, p := range points {
+		if p.z.Equal(new(field.Element)) == 1 {
+			t.Errorf("point %d has Z == 0 (degenerate projective point)", i)
+		}
 		var XX, YY, ZZ, ZZZZ field.Element
 		XX.Square(&p.x)
 		YY.Square(&p.y)
diff --git a/extra.go b/extra.go
@@ -265,6 +265,7 @@ func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point {
 	tmp1 := &projP1xP1{}
 	tmp2 := &projP2{}
 	// Lookup-and-add the appropriate multiple of each input point
+	v.Set(NewIdentityPoint())
 	for j := range tables {
 		tables[j].SelectInto(multiple, digits[j][63])
 		tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords
diff --git a/extra_test.go b/extra_test.go
@@ -149,6 +149,36 @@ func TestMultiScalarMultMatchesBaseMult(t *testing.T) {
 	}
 }
 
+func TestMultiScalarMultZeroReceiver(t *testing.T) {
+	// A zero-value (uninitialized) receiver should be handled correctly,
+	// producing a valid point on the curve.
+	var p Point
+	p.MultiScalarMult([]*Scalar{dalekScalar}, []*Point{B})
+
+	var check Point
+	check.ScalarBaseMult(dalekScalar)
+
+	checkOnCurve(t, &p, &check)
+	if p.Equal(&check) != 1 {
+		t.Error("MultiScalarMult with zero-value receiver did not match ScalarBaseMult")
+	}
+}
+
+func TestMultiScalarMultReceiverAliasing(t *testing.T) {
+	// The receiver v aliasing one of the input points should produce
+	// the correct result.
+	p := NewGeneratorPoint()
+	p.MultiScalarMult([]*Scalar{dalekScalar}, []*Point{p})
+
+	var check Point
+	check.ScalarBaseMult(dalekScalar)
+
+	checkOnCurve(t, p, &check)
+	if p.Equal(&check) != 1 {
+		t.Error("MultiScalarMult with aliased receiver did not match ScalarBaseMult")
+	}
+}
+
 func TestVarTimeMultiScalarMultMatchesBaseMult(t *testing.T) {
 	varTimeMultiScalarMultMatchesBaseMult := func(x, y, z Scalar) bool {
 		var p, q1, q2, q3, check Point
