Commit b757d2d8 authored by Rich Salz's avatar Rich Salz
Browse files

Iterate over EC_GROUP's poly array in a safe way 



Prevent that memory beyond the last element is accessed if every element
of group->poly[] is non-zero

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)

(cherry picked from commit 57f48f93)
parent d8d3b669

crypto/ec/ec_asn1.c

+6 −3
Original line number Diff line number Diff line
@@ -15,15 +15,18 @@ 


int EC_GROUP_get_basis_type(const EC_GROUP *group)

{

    int i = 0;

    int i;



    if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=

        NID_X9_62_characteristic_two_field)

        /* everything else is currently not supported */

        return 0;



    while (group->poly[i] != 0)

        i++;

    /* Find the last non-zero element of group->poly[] */

    for (i = 0;

         i < (int)OSSL_NELEM(group->poly) & group->poly[i] != 0;

         i++)

        continue;



    if (i == 4)

        return NID_X9_62_ppBasis;