summaryrefslogtreecommitdiff
path: root/lib/libcrypto/bn
diff options
context:
space:
mode:
authorPhilip Guenther <guenther@cvs.openbsd.org>2016-10-17 03:30:15 +0000
committerPhilip Guenther <guenther@cvs.openbsd.org>2016-10-17 03:30:15 +0000
commitc186778f032fd6a144e3e0c7e5a4fc7df758de7c (patch)
treee31ba027b50d2defefba09e0264b75117d3ef7ae /lib/libcrypto/bn
parent7e90b824d60ab24dd424acd9613078e1ebf83b6a (diff)
If BN_div_word() fails (by returning (BN_ULONG)-1) or if the division
fails to reduce the input in the expected space then fail out instead of overflowing the allocated buffer. combines openssl commits 28a89639da50b1caed4ff3015508f23173bf3e49 and 3612ff6fcec0e3d1f2a598135fe12177c0419582 ok doug@ beck@
Diffstat (limited to 'lib/libcrypto/bn')
-rw-r--r--lib/libcrypto/bn/bn_print.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/lib/libcrypto/bn/bn_print.c b/lib/libcrypto/bn/bn_print.c
index 2c1681a2c04..f5260655922 100644
--- a/lib/libcrypto/bn/bn_print.c
+++ b/lib/libcrypto/bn/bn_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_print.c,v 1.29 2016/03/02 06:16:11 doug Exp $ */
+/* $OpenBSD: bn_print.c,v 1.30 2016/10/17 03:30:14 guenther Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -109,7 +109,7 @@ err:
char *
BN_bn2dec(const BIGNUM *a)
{
- int i = 0, num, ok = 0;
+ int i = 0, num, bn_data_num, ok = 0;
char *buf = NULL;
char *p;
BIGNUM *t = NULL;
@@ -136,7 +136,8 @@ BN_bn2dec(const BIGNUM *a)
*/
i = BN_num_bits(a) * 3;
num = (i / 10 + i / 1000 + 1) + 1;
- bn_data = reallocarray(NULL, num / BN_DEC_NUM + 1, sizeof(BN_ULONG));
+ bn_data_num = num / BN_DEC_NUM + 1;
+ bn_data = reallocarray(NULL, bn_data_num, sizeof(BN_ULONG));
buf = malloc(num + 3);
if ((buf == NULL) || (bn_data == NULL)) {
BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
@@ -151,9 +152,12 @@ BN_bn2dec(const BIGNUM *a)
if (BN_is_negative(t))
*p++ = '-';
- i = 0;
while (!BN_is_zero(t)) {
+ if (lp - bn_data >= bn_data_num)
+ goto err;
*lp = BN_div_word(t, BN_DEC_CONV);
+ if (*lp == (BN_ULONG)-1)
+ goto err;
lp++;
}
lp--;