The public crypto_sign API documents that the signed-message output buffer sm can be equal to the message input buffer m. In that in-place mode, mld_sign first copies the message from the beginning of sm to sm + MLDSA_CRYPTO_BYTES at mldsa/src/sign.c:1156 through mldsa/src/sign.c:1164. It then calls mld_sign_signature.
If signing fails after this copy, for example because the context length is greater than 255 and domain-prefix construction returns zero at mldsa/src/sign.c:1610, mld_sign_signature clears the detached-signature buffer at mldsa/src/sign.c:1094 through mldsa/src/sign.c:1095. In in-place mode, that signature buffer is the start of the caller's original message buffer. The call returns MLD_ERR_FAIL, sets smlen to zero, and leaves the caller-visible original message wiped even though the message was an input.
The public
crypto_signAPI documents that the signed-message output buffersmcan be equal to the message input bufferm. In that in-place mode,mld_signfirst copies the message from the beginning ofsmtosm + MLDSA_CRYPTO_BYTESatmldsa/src/sign.c:1156throughmldsa/src/sign.c:1164. It then callsmld_sign_signature.If signing fails after this copy, for example because the context length is greater than 255 and domain-prefix construction returns zero at
mldsa/src/sign.c:1610,mld_sign_signatureclears the detached-signature buffer atmldsa/src/sign.c:1094throughmldsa/src/sign.c:1095. In in-place mode, that signature buffer is the start of the caller's original message buffer. The call returnsMLD_ERR_FAIL, setssmlento zero, and leaves the caller-visible original message wiped even though the message was an input.