Check for errors in BN_bn2dec()
authorDr. Stephen Henson <steve@openssl.org>
Fri, 5 Aug 2016 13:26:03 +0000 (14:26 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 15 Aug 2016 23:23:30 +0000 (00:23 +0100)
commit28a89639da50b1caed4ff3015508f23173bf3e49
tree35334c07a35d0f00c4eb04ac2a91a45ad2ed750c
parentff0571b10c5e95f72daed39a30e5b18667f4d51e
Check for errors in BN_bn2dec()

If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)

Conflicts:
crypto/bn/bn_print.c
crypto/bn/bn_print.c