vendor/openssl/1.0.1u vendor/openssl-1.0.1

author: Jung-uk Kim <jkim@FreeBSD.org> 2016-09-22 13:05:59 +0000
committer: Jung-uk Kim <jkim@FreeBSD.org> 2016-09-22 13:05:59 +0000
commit: 2c14c598c3061ac2533f997352aa06a2266f44d9 (patch)
tree: 470894a14935f308eeac93c6cbf6cf25632e1cb1 /crypto/bn/bn_print.c
parent: 47b11f985b9e0ff561a67e19674de6fbcf79281d (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index bfa31efc5621..a9ff271b9ae9 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
     char *p;
     BIGNUM *t = NULL;
     BN_ULONG *bn_data = NULL, *lp;
+    int bn_data_num;
 
     /*-
      * get an upper bound for the length of the decimal integer
@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
      */
     i = BN_num_bits(a) * 3;
     num = (i / 10 + i / 1000 + 1) + 1;
-    bn_data =
-        (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
-    buf = (char *)OPENSSL_malloc(num + 3);
+    bn_data_num = num / BN_DEC_NUM + 1;
+    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
+    buf = OPENSSL_malloc(num + 3);
     if ((buf == NULL) || (bn_data == NULL)) {
         BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -140,9 +141,12 @@ char *BN_bn2dec(const BIGNUM *a)
         if (BN_is_negative(t))
             *p++ = '-';
 
-        i = 0;
         while (!BN_is_zero(t)) {
+            if (lp - bn_data >= bn_data_num)
+                goto err;
             *lp = BN_div_word(t, BN_DEC_CONV);
+            if (*lp == (BN_ULONG)-1)
+                goto err;
             lp++;
         }
         lp--;
author	Jung-uk Kim <jkim@FreeBSD.org>	2016-09-22 13:05:59 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2016-09-22 13:05:59 +0000
commit	2c14c598c3061ac2533f997352aa06a2266f44d9 (patch)
tree	470894a14935f308eeac93c6cbf6cf25632e1cb1 /crypto/bn/bn_print.c
parent	47b11f985b9e0ff561a67e19674de6fbcf79281d (diff)