Fix segfaults in BN_dec2bn() and BN_hex2bn()

bn_print.c r1.29 added length checks to avoid overflowing the BIGNUM.
If these checks are hit in length-only mode, i.e., bn is NULL, the
error path dereferences bn. Change goto err to an early return to
avoid this.

ok jsing

1 files changed, 3 insertions, 3 deletions

diff --git a/src/lib/libcrypto/bn/bn_print.c b/src/lib/libcrypto/bn/bn_print.c
index 9b5c753316..584903491f 100644
--- a/src/lib/libcrypto/bn/bn_print.c
+++ b/src/lib/libcrypto/bn/bn_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_print.c,v 1.33 2022/01/20 10:53:33 inoguchi Exp $ */
+/* $OpenBSD: bn_print.c,v 1.34 2022/11/22 08:46:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -205,7 +205,7 @@ BN_hex2bn(BIGNUM **bn, const char *a)
         for (i = 0; i <= (INT_MAX / 4) && isxdigit((unsigned char)a[i]); i++)
                 ;
         if (i > INT_MAX / 4)
-                goto err;
+                return (0);
 
         num = i + neg;
         if (bn == NULL)
@@ -281,7 +281,7 @@ BN_dec2bn(BIGNUM **bn, const char *a)
         for (i = 0; i <= (INT_MAX / 4) && isdigit((unsigned char)a[i]); i++)
                 ;
         if (i > INT_MAX / 4)
-                goto err;
+                return (0);
 
         num = i + neg;
         if (bn == NULL)