From 36c269c3023f5eb626ec79777ed8b285ef939be2 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 15 May 2022 04:39:50 +0200
Subject: [PATCH] Change loops conditions to make zero loop risk more obvious.

Fixes openssl#18073.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18327)
---
 crypto/aria/aria.c    | 2 +-
 crypto/modes/gcm128.c | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/crypto/aria/aria.c b/crypto/aria/aria.c
index 6a1d713c45..84ddd00cd8 100644
--- a/crypto/aria/aria.c
+++ b/crypto/aria/aria.c
@@ -498,7 +498,7 @@ void ossl_aria_encrypt(const unsigned char *in, unsigned char *out,
     ARIA_ADD_ROUND_KEY(rk, reg0, reg1, reg2, reg3);
     rk++;
 
-    while (Nr -= 2) {
+    while ((Nr -= 2) > 0) {
         ARIA_SUBST_DIFF_EVEN(reg0, reg1, reg2, reg3);
         ARIA_ADD_ROUND_KEY(rk, reg0, reg1, reg2, reg3);
         rk++;
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 8838ffccb9..a57d0f8fd9 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -545,7 +545,11 @@ static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
             Xi[0] = Z.hi;
             Xi[1] = Z.lo;
         }
-    } while (inp += 16, len -= 16);
+
+        inp += 16;
+        /* Block size is 128 bits so len is a multiple of 16 */
+        len -= 16;
+    } while (len > 0);
 }
 #  endif
 # else