Blame SOURCES/gnutls-3.1.18-cve-2014-8564.patch
|
|
80dfe2 |
diff --git a/lib/gnutls_ecc.c b/lib/gnutls_ecc.c
|
|
|
80dfe2 |
index 51abe7b..5816b96 100644
|
|
|
80dfe2 |
--- a/lib/gnutls_ecc.c
|
|
|
80dfe2 |
+++ b/lib/gnutls_ecc.c
|
|
|
80dfe2 |
@@ -53,12 +53,24 @@ _gnutls_ecc_ansi_x963_export (gnutls_ecc_curve_t curve, bigint_t x, bigint_t y,
|
|
|
80dfe2 |
|
|
|
80dfe2 |
/* pad and store x */
|
|
|
80dfe2 |
byte_size = (_gnutls_mpi_get_nbits (x) + 7) / 8;
|
|
|
80dfe2 |
+ if (numlen < byte_size)
|
|
|
80dfe2 |
+ {
|
|
|
80dfe2 |
+ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
|
80dfe2 |
+ goto cleanup;
|
|
|
80dfe2 |
+ }
|
|
|
80dfe2 |
+
|
|
|
80dfe2 |
size = out->size - (1 + (numlen - byte_size));
|
|
|
80dfe2 |
ret = _gnutls_mpi_print (x, &out->data[1 + (numlen - byte_size)], &size);
|
|
|
80dfe2 |
if (ret < 0)
|
|
|
80dfe2 |
return gnutls_assert_val (ret);
|
|
|
80dfe2 |
|
|
|
80dfe2 |
byte_size = (_gnutls_mpi_get_nbits (y) + 7) / 8;
|
|
|
80dfe2 |
+ if (numlen < byte_size)
|
|
|
80dfe2 |
+ {
|
|
|
80dfe2 |
+ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
|
80dfe2 |
+ goto cleanup;
|
|
|
80dfe2 |
+ }
|
|
|
80dfe2 |
+
|
|
|
80dfe2 |
size = out->size - (1 + (numlen + numlen - byte_size));
|
|
|
80dfe2 |
ret =
|
|
|
80dfe2 |
_gnutls_mpi_print (y, &out->data[1 + numlen + numlen - byte_size], &size);
|
|
|
80dfe2 |
@@ -67,6 +79,9 @@ _gnutls_ecc_ansi_x963_export (gnutls_ecc_curve_t curve, bigint_t x, bigint_t y,
|
|
|
80dfe2 |
|
|
|
80dfe2 |
/* pad and store y */
|
|
|
80dfe2 |
return 0;
|
|
|
80dfe2 |
+cleanup:
|
|
|
80dfe2 |
+ _gnutls_free_datum(out);
|
|
|
80dfe2 |
+ return ret;
|
|
|
80dfe2 |
}
|
|
|
80dfe2 |
|
|
|
80dfe2 |
|