diff options
author | Philip Guenther <guenther@cvs.openbsd.org> | 2016-10-17 03:30:15 +0000 |
---|---|---|
committer | Philip Guenther <guenther@cvs.openbsd.org> | 2016-10-17 03:30:15 +0000 |
commit | c186778f032fd6a144e3e0c7e5a4fc7df758de7c (patch) | |
tree | e31ba027b50d2defefba09e0264b75117d3ef7ae /lib/libcrypto/bn | |
parent | 7e90b824d60ab24dd424acd9613078e1ebf83b6a (diff) |
If BN_div_word() fails (by returning (BN_ULONG)-1) or if the division
fails to reduce the input in the expected space then fail out instead
of overflowing the allocated buffer.
combines openssl commits 28a89639da50b1caed4ff3015508f23173bf3e49 and
3612ff6fcec0e3d1f2a598135fe12177c0419582
ok doug@ beck@
Diffstat (limited to 'lib/libcrypto/bn')
-rw-r--r-- | lib/libcrypto/bn/bn_print.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/lib/libcrypto/bn/bn_print.c b/lib/libcrypto/bn/bn_print.c index 2c1681a2c04..f5260655922 100644 --- a/lib/libcrypto/bn/bn_print.c +++ b/lib/libcrypto/bn/bn_print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_print.c,v 1.29 2016/03/02 06:16:11 doug Exp $ */ +/* $OpenBSD: bn_print.c,v 1.30 2016/10/17 03:30:14 guenther Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -109,7 +109,7 @@ err: char * BN_bn2dec(const BIGNUM *a) { - int i = 0, num, ok = 0; + int i = 0, num, bn_data_num, ok = 0; char *buf = NULL; char *p; BIGNUM *t = NULL; @@ -136,7 +136,8 @@ BN_bn2dec(const BIGNUM *a) */ i = BN_num_bits(a) * 3; num = (i / 10 + i / 1000 + 1) + 1; - bn_data = reallocarray(NULL, num / BN_DEC_NUM + 1, sizeof(BN_ULONG)); + bn_data_num = num / BN_DEC_NUM + 1; + bn_data = reallocarray(NULL, bn_data_num, sizeof(BN_ULONG)); buf = malloc(num + 3); if ((buf == NULL) || (bn_data == NULL)) { BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); @@ -151,9 +152,12 @@ BN_bn2dec(const BIGNUM *a) if (BN_is_negative(t)) *p++ = '-'; - i = 0; while (!BN_is_zero(t)) { + if (lp - bn_data >= bn_data_num) + goto err; *lp = BN_div_word(t, BN_DEC_CONV); + if (*lp == (BN_ULONG)-1) + goto err; lp++; } lp--; |