From 21872d1126eec5006b6dcb86debadefbe50113dd Mon Sep 17 00:00:00 2001
From: sthen <>
Date: Fri, 18 Sep 2015 09:00:04 +0000
Subject: Revert bn_print.c:r1.25 ("handle negative-zero in BN_bn2dec() too")
 for now, it has a NULL deref. Segfault reported by Mikolaj Kucharski, ok
 bcook

---
 src/lib/libcrypto/bn/bn_print.c         | 53 ++++++++++++++-------------------
 src/lib/libssl/src/crypto/bn/bn_print.c | 53 ++++++++++++++-------------------
 2 files changed, 44 insertions(+), 62 deletions(-)

diff --git a/src/lib/libcrypto/bn/bn_print.c b/src/lib/libcrypto/bn/bn_print.c
index a68412c8a8..021ed23d96 100644
--- a/src/lib/libcrypto/bn/bn_print.c
+++ b/src/lib/libcrypto/bn/bn_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_print.c,v 1.25 2015/09/13 16:02:11 deraadt Exp $ */
+/* $OpenBSD: bn_print.c,v 1.26 2015/09/18 09:00:04 sthen Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -114,20 +114,6 @@ BN_bn2dec(const BIGNUM *a)
 	BIGNUM *t = NULL;
 	BN_ULONG *bn_data = NULL, *lp;
 
-	if (BN_is_zero(t)) {
-		buf = malloc(BN_is_negative(t) + 2);
-		if (buf == NULL) {
-			BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
-			goto err;
-		}		
-		p = buf;
-		if (BN_is_negative(t))
-			*(p++) = '-';
-		*(p++) = '0';
-		*(p++) = '\0';
-		return (buf);
-	}
-		
 	/* get an upper bound for the length of the decimal integer
 	 * num <= (BN_num_bits(a) + 1) * log(2)
 	 *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error)
@@ -147,26 +133,31 @@ BN_bn2dec(const BIGNUM *a)
 #define BUF_REMAIN (num+3 - (size_t)(p - buf))
 	p = buf;
 	lp = bn_data;
-	if (BN_is_negative(t))
-		*p++ = '-';
+	if (BN_is_zero(t)) {
+		*(p++) = '0';
+		*(p++) = '\0';
+	} else {
+		if (BN_is_negative(t))
+			*p++ = '-';
 
-	i = 0;
-	while (!BN_is_zero(t)) {
-		*lp = BN_div_word(t, BN_DEC_CONV);
-		lp++;
-	}
-	lp--;
-	/* We now have a series of blocks, BN_DEC_NUM chars
-	 * in length, where the last one needs truncation.
-	 * The blocks need to be reversed in order. */
-	snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
-	while (*p)
-		p++;
-	while (lp != bn_data) {
+		i = 0;
+		while (!BN_is_zero(t)) {
+			*lp = BN_div_word(t, BN_DEC_CONV);
+			lp++;
+		}
 		lp--;
-		snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
+		/* We now have a series of blocks, BN_DEC_NUM chars
+		 * in length, where the last one needs truncation.
+		 * The blocks need to be reversed in order. */
+		snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
 		while (*p)
 			p++;
+		while (lp != bn_data) {
+			lp--;
+			snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
+			while (*p)
+				p++;
+		}
 	}
 	ok = 1;
 
diff --git a/src/lib/libssl/src/crypto/bn/bn_print.c b/src/lib/libssl/src/crypto/bn/bn_print.c
index a68412c8a8..021ed23d96 100644
--- a/src/lib/libssl/src/crypto/bn/bn_print.c
+++ b/src/lib/libssl/src/crypto/bn/bn_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_print.c,v 1.25 2015/09/13 16:02:11 deraadt Exp $ */
+/* $OpenBSD: bn_print.c,v 1.26 2015/09/18 09:00:04 sthen Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -114,20 +114,6 @@ BN_bn2dec(const BIGNUM *a)
 	BIGNUM *t = NULL;
 	BN_ULONG *bn_data = NULL, *lp;
 
-	if (BN_is_zero(t)) {
-		buf = malloc(BN_is_negative(t) + 2);
-		if (buf == NULL) {
-			BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
-			goto err;
-		}		
-		p = buf;
-		if (BN_is_negative(t))
-			*(p++) = '-';
-		*(p++) = '0';
-		*(p++) = '\0';
-		return (buf);
-	}
-		
 	/* get an upper bound for the length of the decimal integer
 	 * num <= (BN_num_bits(a) + 1) * log(2)
 	 *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error)
@@ -147,26 +133,31 @@ BN_bn2dec(const BIGNUM *a)
 #define BUF_REMAIN (num+3 - (size_t)(p - buf))
 	p = buf;
 	lp = bn_data;
-	if (BN_is_negative(t))
-		*p++ = '-';
+	if (BN_is_zero(t)) {
+		*(p++) = '0';
+		*(p++) = '\0';
+	} else {
+		if (BN_is_negative(t))
+			*p++ = '-';
 
-	i = 0;
-	while (!BN_is_zero(t)) {
-		*lp = BN_div_word(t, BN_DEC_CONV);
-		lp++;
-	}
-	lp--;
-	/* We now have a series of blocks, BN_DEC_NUM chars
-	 * in length, where the last one needs truncation.
-	 * The blocks need to be reversed in order. */
-	snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
-	while (*p)
-		p++;
-	while (lp != bn_data) {
+		i = 0;
+		while (!BN_is_zero(t)) {
+			*lp = BN_div_word(t, BN_DEC_CONV);
+			lp++;
+		}
 		lp--;
-		snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
+		/* We now have a series of blocks, BN_DEC_NUM chars
+		 * in length, where the last one needs truncation.
+		 * The blocks need to be reversed in order. */
+		snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
 		while (*p)
 			p++;
+		while (lp != bn_data) {
+			lp--;
+			snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
+			while (*p)
+				p++;
+		}
 	}
 	ok = 1;
 
-- 
cgit v1.2.3-55-g6feb