From 4882648dad1e29b635568abe52251285fb56bdb1 Mon Sep 17 00:00:00 2001
From: Andrew Kozlik <andrew.kozlik@gmail.com>
Date: Wed, 5 Jan 2022 17:01:35 +0100
Subject: [PATCH] fix(crypto): Treat point at infinity as an invalid public key
 in ecdsa_recover_pub_from_sig().

---
 crypto/ecdsa.c            | 4 ++++
 crypto/tests/test_check.c | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
index d5d8bd8aa..6b643d398 100644
--- a/crypto/ecdsa.c
+++ b/crypto/ecdsa.c
@@ -1065,6 +1065,10 @@ int ecdsa_recover_pub_from_sig(const ecdsa_curve *curve, uint8_t *pub_key,
   scalar_multiply(curve, &e, &cp2);
   // cp = (s * r^-1 * k - digest * r^-1) * G = Pub
   point_add(curve, &cp2, &cp);
+  // The point at infinity is not considered to be a valid public key.
+  if (point_is_infinity(&cp)) {
+    return 1;
+  }
   pub_key[0] = 0x04;
   bn_write_be(&cp.x, pub_key + 1);
   bn_write_be(&cp.y, pub_key + 33);
diff --git a/crypto/tests/test_check.c b/crypto/tests/test_check.c
index 5d27d5861..4deb44281 100644
--- a/crypto/tests/test_check.c
+++ b/crypto/tests/test_check.c
@@ -3574,6 +3574,14 @@ static void test_ecdsa_recover_pub_from_sig_helper(int (
           "0490d2bd2e9a564d6e1d8324fc6ad00aa4ae597684ecf4abea58bdfe7287ea4fa729"
           "68c2e5b0b40999ede3d7898d94e82c3f8dc4536a567a4bd45998c826a4c4b2"),
       65);
+  // The point at infinity is not considered to be a valid public key.
+  res = ecdsa_recover_pub_from_sig_fn(
+      curve, pubkey,
+      fromhex(
+          "220cf4c7b6d568f2256a8c30cc1784a625a28c3627dac404aa9a9ecd08314ec81a88"
+          "828f20d69d102bab5de5f6ee7ef040cb0ff7b8e1ba3f29d79efb5250f47d"),
+      digest, 0);
+  ck_assert_int_eq(res, 1);
 
   memcpy(
       digest,