rpms / openssl

Clone
Source Code
GIT

Blame SOURCES/openssl-1.0.1e-cve-2016-2182.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   653b37a36fcfa8d53d73e34d10ac70e7aaafba1c
  2.   SOURCES
  3.   openssl-1.0.1e-cve-2016-2182.patch
Blob History Raw
653b37 
diff -up openssl-1.0.1e/crypto/bn/bn_print.c.bn-overflow openssl-1.0.1e/crypto/bn/bn_print.c
653b37 
--- openssl-1.0.1e/crypto/bn/bn_print.c.bn-overflow	2016-09-20 14:55:57.000000000 +0200
653b37 
+++ openssl-1.0.1e/crypto/bn/bn_print.c	2016-09-20 16:53:29.825854773 +0200
653b37 
@@ -108,6 +108,7 @@ char *BN_bn2dec(const BIGNUM *a)
653b37 
 	char *p;
653b37 
 	BIGNUM *t=NULL;
653b37 
 	BN_ULONG *bn_data=NULL,*lp;
653b37 
+	int bn_data_num;
653b37
653b37 
 	/* get an upper bound for the length of the decimal integer
653b37 
 	 * num <= (BN_num_bits(a) + 1) * log(2)
653b37 
@@ -116,7 +117,8 @@ char *BN_bn2dec(const BIGNUM *a)
653b37 
 	 */
653b37 
 	i=BN_num_bits(a)*3;
653b37 
 	num=(i/10+i/1000+1)+1;
653b37 
-	bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));
653b37 
+	bn_data_num=num/BN_DEC_NUM + 1;
653b37 
+	bn_data=(BN_ULONG *)OPENSSL_malloc(bn_data_num*sizeof(BN_ULONG));
653b37 
 	buf=(char *)OPENSSL_malloc(num+3);
653b37 
 	if ((buf == NULL) || (bn_data == NULL))
653b37 
 		{
653b37 
@@ -141,7 +143,11 @@ char *BN_bn2dec(const BIGNUM *a)
653b37 
 		i=0;
653b37 
 		while (!BN_is_zero(t))
653b37 
 			{
653b37 
+			if (lp - bn_data >= bn_data_num)
653b37 
+				goto err;
653b37 
 			*lp=BN_div_word(t,BN_DEC_CONV);
653b37 
+			if (*lp == (BN_ULONG)-1)
653b37 
+				goto err;
653b37 
 			lp++;
653b37 
 			}
653b37 
 		lp--;

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation