diff options
| author | jasper <> | 2013-02-15 10:50:33 +0000 |
|---|---|---|
| committer | jasper <> | 2013-02-15 10:50:33 +0000 |
| commit | 5d3fcd31eb0743ae98de8a8b5adf86e5670abbc9 (patch) | |
| tree | 7346b49b225c5bbefbc09720594151cb50242568 | |
| parent | d6eafef2e500f444035f745121024e90a276c326 (diff) | |
| download | openbsd-OPENBSD_5_2.tar.gz openbsd-OPENBSD_5_2.tar.bz2 openbsd-OPENBSD_5_2.zip | |
Fix a buffer overflow in BN_add_word which would occur when certain valuesOPENBSD_5_2
are added to a single word bignum.
from markus@
ok djm@
| -rw-r--r-- | src/lib/libssl/src/crypto/bn/bn_word.c | 25 |
1 files changed, 8 insertions, 17 deletions
diff --git a/src/lib/libssl/src/crypto/bn/bn_word.c b/src/lib/libssl/src/crypto/bn/bn_word.c index ee7b87c45c..de83a15b99 100644 --- a/src/lib/libssl/src/crypto/bn/bn_word.c +++ b/src/lib/libssl/src/crypto/bn/bn_word.c | |||
| @@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) | |||
| 144 | a->neg=!(a->neg); | 144 | a->neg=!(a->neg); |
| 145 | return(i); | 145 | return(i); |
| 146 | } | 146 | } |
| 147 | /* Only expand (and risk failing) if it's possibly necessary */ | 147 | for (i=0;w!=0 && i<a->top;i++) |
| 148 | if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) && | ||
| 149 | (bn_wexpand(a,a->top+1) == NULL)) | ||
| 150 | return(0); | ||
| 151 | i=0; | ||
| 152 | for (;;) | ||
| 153 | { | 148 | { |
| 154 | if (i >= a->top) | 149 | a->d[i] = l = (a->d[i]+w)&BN_MASK2; |
| 155 | l=w; | 150 | w = (w>l)?1:0; |
| 156 | else | ||
| 157 | l=(a->d[i]+w)&BN_MASK2; | ||
| 158 | a->d[i]=l; | ||
| 159 | if (w > l) | ||
| 160 | w=1; | ||
| 161 | else | ||
| 162 | break; | ||
| 163 | i++; | ||
| 164 | } | 151 | } |
| 165 | if (i >= a->top) | 152 | if (w && i==a->top) |
| 153 | { | ||
| 154 | if (bn_wexpand(a,a->top+1) == NULL) return 0; | ||
| 166 | a->top++; | 155 | a->top++; |
| 156 | a->d[i]=w; | ||
| 157 | } | ||
| 167 | bn_check_top(a); | 158 | bn_check_top(a); |
| 168 | return(1); | 159 | return(1); |
| 169 | } | 160 | } |