1 files changed, 15 insertions, 3 deletions

diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index f0ae51f234..48a32bc264 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -79,7 +79,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
         *(p++)=0;
         *(p++)=1; /* Private Key BT (Block Type) */
 
-        /* padd out with 0xff data */
+        /* pad out with 0xff data */
         j=tlen-3-flen;
         memset(p,0xff,j);
         p+=j;
@@ -130,6 +130,11 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
                 }
         i++; /* Skip over the '\0' */
         j-=i;
+        if (j > tlen)
+                {
+                RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
+                return(-1);
+                }
         memcpy(to,p,(unsigned int)j);
 
         return(j);
@@ -155,12 +160,14 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
         /* pad out with non-zero random data */
         j=tlen-3-flen;
 
-        RAND_bytes(p,j);
+        if (RAND_bytes(p,j) <= 0)
+                return(0);
         for (i=0; i<j; i++)
                 {
                 if (*p == '\0')
                         do      {
-                                RAND_bytes(p,1);
+                                if (RAND_bytes(p,1) <= 0)
+                                        return(0);
                                 } while (*p == '\0');
                 p++;
                 }
@@ -205,6 +212,11 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
                 }
         i++; /* Skip over the '\0' */
         j-=i;
+        if (j > tlen)
+                {
+                RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
+                return(-1);
+                }
         memcpy(to,p,(unsigned int)j);
 
         return(j);