Error out on negative shifts in BN_{r,l}shift()

Without these checks in both functions nw = n / BN_BITS2 will be negative
and this leads to out-of-bounds accesses via negative array indices and
memset with a negative size.

Pointed out by cheloha

ok jsing

1 files changed, 13 insertions, 1 deletions

diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c
index 0e8211e3d6..e89e157446 100644
--- a/src/lib/libcrypto/bn/bn_shift.c
+++ b/src/lib/libcrypto/bn/bn_shift.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_shift.c,v 1.13 2014/10/28 07:35:58 jsg Exp $ */
+/* $OpenBSD: bn_shift.c,v 1.14 2022/06/22 09:03:06 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,6 +59,8 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <openssl/err.h>
+
 #include "bn_lcl.h"
 
 int
@@ -138,6 +140,11 @@ BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
         BN_ULONG *t, *f;
         BN_ULONG l;
 
+        if (n < 0) {
+                BNerror(BN_R_INVALID_LENGTH);
+                return 0;
+        }
+
         bn_check_top(r);
         bn_check_top(a);
 
@@ -175,6 +182,11 @@ BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
         BN_ULONG *t, *f;
         BN_ULONG l, tmp;
 
+        if (n < 0) {
+                BNerror(BN_R_INVALID_LENGTH);
+                return 0;
+        }
+
         bn_check_top(r);
         bn_check_top(a);