From 3a55949b558e3f8f9d11f65223b657b592b83bbe Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Wed, 3 Dec 2014 19:53:20 +0000
Subject: handle the (impossible) situation of a size_t - 1 buffer from
 EC_POINT_point2oct so that later allocation does not overflow with miod

---
 src/lib/libcrypto/ec/ec_print.c         | 4 ++--
 src/lib/libssl/src/crypto/ec/ec_print.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/libcrypto/ec/ec_print.c b/src/lib/libcrypto/ec/ec_print.c
index 1c142a1df5..af4d1996c0 100644
--- a/src/lib/libcrypto/ec/ec_print.c
+++ b/src/lib/libcrypto/ec/ec_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_print.c,v 1.6 2014/12/03 19:45:16 deraadt Exp $ */
+/* $OpenBSD: ec_print.c,v 1.7 2014/12/03 19:53:20 deraadt Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -131,7 +131,7 @@ EC_POINT_point2hex(const EC_GROUP * group, const EC_POINT * point,
 
 	buf_len = EC_POINT_point2oct(group, point, form,
 	    NULL, 0, ctx);
-	if (buf_len == 0)
+	if (buf_len == 0 || buf_len + 1 == 0)
 		return NULL;
 
 	if ((buf = malloc(buf_len)) == NULL)
diff --git a/src/lib/libssl/src/crypto/ec/ec_print.c b/src/lib/libssl/src/crypto/ec/ec_print.c
index 1c142a1df5..af4d1996c0 100644
--- a/src/lib/libssl/src/crypto/ec/ec_print.c
+++ b/src/lib/libssl/src/crypto/ec/ec_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_print.c,v 1.6 2014/12/03 19:45:16 deraadt Exp $ */
+/* $OpenBSD: ec_print.c,v 1.7 2014/12/03 19:53:20 deraadt Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -131,7 +131,7 @@ EC_POINT_point2hex(const EC_GROUP * group, const EC_POINT * point,
 
 	buf_len = EC_POINT_point2oct(group, point, form,
 	    NULL, 0, ctx);
-	if (buf_len == 0)
+	if (buf_len == 0 || buf_len + 1 == 0)
 		return NULL;
 
 	if ((buf = malloc(buf_len)) == NULL)
-- 
cgit v1.2.3-55-g6feb