Blame SOURCES/gnutls-3.1.18-cve-2014-8564.patch

80dfe2
diff --git a/lib/gnutls_ecc.c b/lib/gnutls_ecc.c
80dfe2
index 51abe7b..5816b96 100644
80dfe2
--- a/lib/gnutls_ecc.c
80dfe2
+++ b/lib/gnutls_ecc.c
80dfe2
@@ -53,12 +53,24 @@ _gnutls_ecc_ansi_x963_export (gnutls_ecc_curve_t curve, bigint_t x, bigint_t y,
80dfe2
 
80dfe2
   /* pad and store x */
80dfe2
   byte_size = (_gnutls_mpi_get_nbits (x) + 7) / 8;
80dfe2
+  if (numlen < byte_size)
80dfe2
+    {
80dfe2
+      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
80dfe2
+      goto cleanup;
80dfe2
+    }
80dfe2
+
80dfe2
   size = out->size - (1 + (numlen - byte_size));
80dfe2
   ret = _gnutls_mpi_print (x, &out->data[1 + (numlen - byte_size)], &size);
80dfe2
   if (ret < 0)
80dfe2
     return gnutls_assert_val (ret);
80dfe2
 
80dfe2
   byte_size = (_gnutls_mpi_get_nbits (y) + 7) / 8;
80dfe2
+  if (numlen < byte_size)
80dfe2
+    {
80dfe2
+      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
80dfe2
+      goto cleanup;
80dfe2
+    }
80dfe2
+
80dfe2
   size = out->size - (1 + (numlen + numlen - byte_size));
80dfe2
   ret =
80dfe2
     _gnutls_mpi_print (y, &out->data[1 + numlen + numlen - byte_size], &size);
80dfe2
@@ -67,6 +79,9 @@ _gnutls_ecc_ansi_x963_export (gnutls_ecc_curve_t curve, bigint_t x, bigint_t y,
80dfe2
 
80dfe2
   /* pad and store y */
80dfe2
   return 0;
80dfe2
+cleanup:
80dfe2
+  _gnutls_free_datum(out);
80dfe2
+  return ret;
80dfe2
 }
80dfe2
 
80dfe2