bn_word.c: fix overflow bug in BN_add_word.
authorAndy Polyakov <appro@openssl.org>
Fri, 9 Nov 2012 13:58:40 +0000 (13:58 +0000)
committerAndy Polyakov <appro@openssl.org>
Sat, 2 Feb 2013 21:37:35 +0000 (22:37 +0100)
(cherry picked from commit 134c00659a1bc67ad35a1e4620e16bc4315e6e37)

crypto/bn/bn_word.c

index ee7b87c45ccd38839db6261ed81c2d87b9e881b5..de83a15b99c53c0da9c07b1619153b9240359e18 100644 (file)
@@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
                        a->neg=!(a->neg);
                return(i);
                }
-       /* Only expand (and risk failing) if it's possibly necessary */
-       if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) &&
-                       (bn_wexpand(a,a->top+1) == NULL))
-               return(0);
-       i=0;
-       for (;;)
+       for (i=0;w!=0 && i<a->top;i++)
                {
-               if (i >= a->top)
-                       l=w;
-               else
-                       l=(a->d[i]+w)&BN_MASK2;
-               a->d[i]=l;
-               if (w > l)
-                       w=1;
-               else
-                       break;
-               i++;
+               a->d[i] = l = (a->d[i]+w)&BN_MASK2;
+               w = (w>l)?1:0;
                }
-       if (i >= a->top)
+       if (w && i==a->top)
+               {
+               if (bn_wexpand(a,a->top+1) == NULL) return 0;
                a->top++;
+               a->d[i]=w;
+               }
        bn_check_top(a);
        return(1);
        }