From d26e26f2f46edc35404bc9cfdcfc39daca465b0c Mon Sep 17 00:00:00 2001
From: Gregory Maxwell <greg@xiph.org>
Date: Sun, 28 Dec 2014 19:40:40 -0800
Subject: [PATCH] Avoid constructing an invalid signature with probability
 1:2^256.

---
 src/ecdsa_impl.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/ecdsa_impl.h b/src/ecdsa_impl.h
index b4023be324a..674650c1e9f 100644
--- a/src/ecdsa_impl.h
+++ b/src/ecdsa_impl.h
@@ -198,6 +198,12 @@ static int secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_
     secp256k1_fe_get_b32(b, &r.x);
     int overflow = 0;
     secp256k1_scalar_set_b32(&sig->r, b, &overflow);
+    if (secp256k1_scalar_is_zero(&sig->r)) {
+        /* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature. */
+        secp256k1_gej_clear(&rp);
+        secp256k1_ge_clear(&r);
+        return 0;
+    }
     if (recid)
         *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
     secp256k1_scalar_t n;