crypto/subtle: don't cast to *uintptr when word size is 0

Casting to a *uintptr is not ok if there isn't at least 8 bytes of
data backing that pointer (on 64-bit archs).
So although we end up making a slice of 0 length with that pointer,
the cast itself doesn't know that.
Instead, bail early if the result is going to be 0 length.

Fixes #59334

Change-Id: Id3c0e09d341d838835c0382cccfb0f71dc3dc7e6
Reviewed-on: https://go-review.googlesource.com/c/go/+/480575
Run-TryBot: Keith Randall <khr@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>

src/crypto/subtle/xor_generic.go

@@ -46,7 +46,13 @@ func aligned(dst, x, y *byte) bool {
 // words returns a []uintptr pointing at the same data as x,
 // with any trailing partial word removed.
 func words(x []byte) []uintptr {
-	return unsafe.Slice((*uintptr)(unsafe.Pointer(&x[0])), uintptr(len(x))/wordSize)
+	n := uintptr(len(x)) / wordSize
+	if n == 0 {
+		// Avoid creating a *uintptr that refers to data smaller than a uintptr;
+		// see issue 59334.
+		return nil
+	}
+	return unsafe.Slice((*uintptr)(unsafe.Pointer(&x[0])), n)
 }
 
 func xorLoop[T byte | uintptr](dst, x, y []T) {

test/fixedbugs/issue59334.go

@@ -0,0 +1,18 @@
+// run -tags=purego -gcflags=all=-d=checkptr
+
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import "crypto/subtle"
+
+func main() {
+	dst := make([]byte, 5)
+	src := make([]byte, 5)
+	for _, n := range []int{1024, 2048} { // just to make the size non-constant
+		b := make([]byte, n)
+		subtle.XORBytes(dst, src, b[n-5:])
+	}
+}