Skip to content
Commit 28a89639 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Check for errors in BN_bn2dec()



If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(cherry picked from commit 07bed46f)

Conflicts:
	crypto/bn/bn_print.c
parent ff0571b1
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment