If BN_div_word() fails (by returning (BN_ULONG)-1) or if the division

fails to reduce the input in the expected space then fail out instead
of overflowing the allocated buffer.

combines openssl commits 28a89639da50b1caed4ff3015508f23173bf3e49 and
3612ff6fcec0e3d1f2a598135fe12177c0419582

ok doug@ beck@

1 files changed, 8 insertions, 4 deletions

diff --git a/lib/libcrypto/bn/bn_print.c b/lib/libcrypto/bn/bn_print.c
index 2c1681a2c04..f5260655922 100644
--- a/lib/libcrypto/bn/bn_print.c
+++ b/lib/libcrypto/bn/bn_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_print.c,v 1.29 2016/03/02 06:16:11 doug Exp $ */
+/* $OpenBSD: bn_print.c,v 1.30 2016/10/17 03:30:14 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -109,7 +109,7 @@ err:
 char *
 BN_bn2dec(const BIGNUM *a)
 {
-	int i = 0, num, ok = 0;
+	int i = 0, num, bn_data_num, ok = 0;
 	char *buf = NULL;
 	char *p;
 	BIGNUM *t = NULL;
@@ -136,7 +136,8 @@ BN_bn2dec(const BIGNUM *a)
 	 */
 	i = BN_num_bits(a) * 3;
 	num = (i / 10 + i / 1000 + 1) + 1;
-	bn_data = reallocarray(NULL, num / BN_DEC_NUM + 1, sizeof(BN_ULONG));
+	bn_data_num = num / BN_DEC_NUM + 1;
+	bn_data = reallocarray(NULL, bn_data_num, sizeof(BN_ULONG));
 	buf = malloc(num + 3);
 	if ((buf == NULL) || (bn_data == NULL)) {
 		BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
@@ -151,9 +152,12 @@ BN_bn2dec(const BIGNUM *a)
 	if (BN_is_negative(t))
 		*p++ = '-';
 
-	i = 0;
 	while (!BN_is_zero(t)) {
+		if (lp - bn_data >= bn_data_num)
+			goto err;
 		*lp = BN_div_word(t, BN_DEC_CONV);
+		if (*lp == (BN_ULONG)-1)
+			goto err;
 		lp++;
 	}
 	lp--;