summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjasper <>2013-02-15 10:50:33 +0000
committerjasper <>2013-02-15 10:50:33 +0000
commit5d3fcd31eb0743ae98de8a8b5adf86e5670abbc9 (patch)
tree7346b49b225c5bbefbc09720594151cb50242568
parentd6eafef2e500f444035f745121024e90a276c326 (diff)
downloadopenbsd-OPENBSD_5_2.tar.gz
openbsd-OPENBSD_5_2.tar.bz2
openbsd-OPENBSD_5_2.zip
Fix a buffer overflow in BN_add_word which would occur when certain valuesOPENBSD_5_2
are added to a single word bignum. from markus@ ok djm@
-rw-r--r--src/lib/libssl/src/crypto/bn/bn_word.c25
1 files changed, 8 insertions, 17 deletions
diff --git a/src/lib/libssl/src/crypto/bn/bn_word.c b/src/lib/libssl/src/crypto/bn/bn_word.c
index ee7b87c45c..de83a15b99 100644
--- a/src/lib/libssl/src/crypto/bn/bn_word.c
+++ b/src/lib/libssl/src/crypto/bn/bn_word.c
@@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
144 a->neg=!(a->neg); 144 a->neg=!(a->neg);
145 return(i); 145 return(i);
146 } 146 }
147 /* Only expand (and risk failing) if it's possibly necessary */ 147 for (i=0;w!=0 && i<a->top;i++)
148 if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) &&
149 (bn_wexpand(a,a->top+1) == NULL))
150 return(0);
151 i=0;
152 for (;;)
153 { 148 {
154 if (i >= a->top) 149 a->d[i] = l = (a->d[i]+w)&BN_MASK2;
155 l=w; 150 w = (w>l)?1:0;
156 else
157 l=(a->d[i]+w)&BN_MASK2;
158 a->d[i]=l;
159 if (w > l)
160 w=1;
161 else
162 break;
163 i++;
164 } 151 }
165 if (i >= a->top) 152 if (w && i==a->top)
153 {
154 if (bn_wexpand(a,a->top+1) == NULL) return 0;
166 a->top++; 155 a->top++;
156 a->d[i]=w;
157 }
167 bn_check_top(a); 158 bn_check_top(a);
168 return(1); 159 return(1);
169 } 160 }