diff options
author | jasper <> | 2013-02-15 10:50:33 +0000 |
---|---|---|
committer | jasper <> | 2013-02-15 10:50:33 +0000 |
commit | 5d3fcd31eb0743ae98de8a8b5adf86e5670abbc9 (patch) | |
tree | 7346b49b225c5bbefbc09720594151cb50242568 | |
parent | d6eafef2e500f444035f745121024e90a276c326 (diff) | |
download | openbsd-OPENBSD_5_2.tar.gz openbsd-OPENBSD_5_2.tar.bz2 openbsd-OPENBSD_5_2.zip |
Fix a buffer overflow in BN_add_word which would occur when certain valuesOPENBSD_5_2
are added to a single word bignum.
from markus@
ok djm@
-rw-r--r-- | src/lib/libssl/src/crypto/bn/bn_word.c | 25 |
1 files changed, 8 insertions, 17 deletions
diff --git a/src/lib/libssl/src/crypto/bn/bn_word.c b/src/lib/libssl/src/crypto/bn/bn_word.c index ee7b87c45c..de83a15b99 100644 --- a/src/lib/libssl/src/crypto/bn/bn_word.c +++ b/src/lib/libssl/src/crypto/bn/bn_word.c | |||
@@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) | |||
144 | a->neg=!(a->neg); | 144 | a->neg=!(a->neg); |
145 | return(i); | 145 | return(i); |
146 | } | 146 | } |
147 | /* Only expand (and risk failing) if it's possibly necessary */ | 147 | for (i=0;w!=0 && i<a->top;i++) |
148 | if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) && | ||
149 | (bn_wexpand(a,a->top+1) == NULL)) | ||
150 | return(0); | ||
151 | i=0; | ||
152 | for (;;) | ||
153 | { | 148 | { |
154 | if (i >= a->top) | 149 | a->d[i] = l = (a->d[i]+w)&BN_MASK2; |
155 | l=w; | 150 | w = (w>l)?1:0; |
156 | else | ||
157 | l=(a->d[i]+w)&BN_MASK2; | ||
158 | a->d[i]=l; | ||
159 | if (w > l) | ||
160 | w=1; | ||
161 | else | ||
162 | break; | ||
163 | i++; | ||
164 | } | 151 | } |
165 | if (i >= a->top) | 152 | if (w && i==a->top) |
153 | { | ||
154 | if (bn_wexpand(a,a->top+1) == NULL) return 0; | ||
166 | a->top++; | 155 | a->top++; |
156 | a->d[i]=w; | ||
157 | } | ||
167 | bn_check_top(a); | 158 | bn_check_top(a); |
168 | return(1); | 159 | return(1); |
169 | } | 160 | } |