Rearrange terms in gf_mul to prevent segfault

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23512)

(cherry picked from commit 76cecff5e9bedb2bafc60062283f99722697082a)

diff --git a/crypto/ec/curve448/arch_64/f_impl64.c b/crypto/ec/curve448/arch_64/f_impl64.c
index 10a9b065e554a8d28360c6c8d96ca7443e73f1db..9e2f0c66d504a349da5513d71f1530cc937c3afe 100644 (file)
--- a/crypto/ec/curve448/arch_64/f_impl64.c
+++ b/crypto/ec/curve448/arch_64/f_impl64.c
@@ -45,9 +45,9 @@ void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs)
             accum0 += widemul(a[j + 4], b[i - j + 4]);
         }
         for (; j < 4; j++) {
-            accum2 += widemul(a[j], b[i - j + 8]);
-            accum1 += widemul(aa[j], bbb[i - j + 4]);
-            accum0 += widemul(a[j + 4], bb[i - j + 4]);
+            accum2 += widemul(a[j], b[i + 8 - j]);
+            accum1 += widemul(aa[j], bbb[i + 4 - j]);
+            accum0 += widemul(a[j + 4], bb[i + 4 - j]);
         }
 
         accum1 -= accum2;