RFR: 8374755: ML-KEM's 12-bit decompression uses incorrect assertions [v2]
Ferenc Rakoczi
duke at openjdk.org
Wed Jan 14 13:31:28 UTC 2026
On Wed, 14 Jan 2026 06:51:00 GMT, Shawn M Emery <duke at openjdk.org> wrote:
>> Ferenc Rakoczi has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Fix off-by-one error discovered by Shawn
>
> src/java.base/share/classes/com/sun/crypto/provider/ML_KEM.java line 1364:
>
>> 1362: int n = (parsedLength + 127) / 128;
>> 1363: assert ((parsed.length >= n * 128) &&
>> 1364: (condensed.length >= index + n * 192));
>
> Given the comments, can this be simplified to just:
>
>
> - int n = (parsedLength + 127) / 128;
> - assert ((parsed.length >= n * 128) &&
> - (condensed.length >= index + n * 192));
> + assert((parsed.length % 128) == 0) && (condensed.length % 192 == 0));
>
>
> If the length is smaller than the constant then the remainder will be non-zero.
These are the exact conditions that the most demanding intrinsic (the AVX-512 one) requires. If we would rely on that the callers satisfy these, we wouldn't need the assert :-) . The loop in the intrinsic will read n * 192 bytes and write n * 128 shorts, your suggestion would not ensure that the arrays have at least that much space.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29141#discussion_r2690431489
More information about the security-dev
mailing list