From: Dr. Stephen Henson <steve@openssl.org>
Date: Thu, 4 Feb 2016 18:53:07 +0000 (+0000)
Subject: Allocate ASN1_bn_print buffer internally.
X-Git-Tag: OpenSSL_1_1_0-pre3~261
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ac3e3665016e4441475276461d5f910eb9e9ea15;p=oweals%2Fopenssl.git

Allocate ASN1_bn_print buffer internally.

Don't require an application to work out the appropriate buffer size for
ASN1_bn_print(), which is unsafe. Ignore the supplied buffer and allocate
it internally instead.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
---

diff --git a/crypto/asn1/t_pkey.c b/crypto/asn1/t_pkey.c
index afe347bab2..b17862c2f4 100644
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -91,14 +91,16 @@ int ASN1_buf_print(BIO *bp, unsigned char *buf, size_t buflen, int indent)
 }
 
 int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
-                  unsigned char *buf, int indent)
+                  unsigned char *ign, int indent)
 {
-    int n;
+    int n, rv = 0;
     const char *neg;
+    unsigned char *buf = NULL, *tmp = NULL;
+    int buflen;
 
     if (num == NULL)
         return 1;
-    neg = (BN_is_negative(num)) ? "-" : "";
+    neg = BN_is_negative(num) ? "-" : "";
     if (!BIO_indent(bp, indent, ASN1_PRINT_MAX_INDENT))
         return 0;
     if (BN_is_zero(num)) {
@@ -111,21 +113,29 @@ int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
         if (BIO_printf(bp, "%s %s%lu (%s0x%lx)\n", number, neg,
                        (unsigned long)bn_get_words(num)[0], neg,
                        (unsigned long)bn_get_words(num)[0]) <= 0)
-            return (0);
-    } else {
-        buf[0] = 0;
-        if (BIO_printf(bp, "%s%s\n", number,
-                       (neg[0] == '-') ? " (Negative)" : "") <= 0)
-            return (0);
-        n = BN_bn2bin(num, &buf[1]);
-
-        if (buf[1] & 0x80)
-            n++;
-        else
-            buf++;
-
-        if (ASN1_buf_print(bp, buf, n, indent + 4) == 0)
             return 0;
+        return 1;
     }
-    return 1;
+
+    buflen = BN_num_bytes(num) + 1;
+    buf = tmp = OPENSSL_malloc(buflen);
+    if (buf == NULL)
+        goto err;
+    buf[0] = 0;
+    if (BIO_printf(bp, "%s%s\n", number,
+                   (neg[0] == '-') ? " (Negative)" : "") <= 0)
+        goto err;
+    n = BN_bn2bin(num, buf + 1);
+
+    if (buf[1] & 0x80)
+        n++;
+    else
+        tmp++;
+
+    if (ASN1_buf_print(bp, tmp, n, indent + 4) == 0)
+        goto err;
+    rv = 1;
+    err:
+    OPENSSL_clear_free(buf, buflen);
+    return rv;
 }