From b2226c6c8371bf69bb0fcb59cb7bb8562a548fba Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Fri, 9 Nov 2012 13:58:40 +0000 Subject: [PATCH] bn_word.c: fix overflow bug in BN_add_word. (cherry picked from commit 134c00659a1bc67ad35a1e4620e16bc4315e6e37) --- crypto/bn/bn_word.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c index ee7b87c45c..de83a15b99 100644 --- a/crypto/bn/bn_word.c +++ b/crypto/bn/bn_word.c @@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) a->neg=!(a->neg); return(i); } - /* Only expand (and risk failing) if it's possibly necessary */ - if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) && - (bn_wexpand(a,a->top+1) == NULL)) - return(0); - i=0; - for (;;) + for (i=0;w!=0 && itop;i++) { - if (i >= a->top) - l=w; - else - l=(a->d[i]+w)&BN_MASK2; - a->d[i]=l; - if (w > l) - w=1; - else - break; - i++; + a->d[i] = l = (a->d[i]+w)&BN_MASK2; + w = (w>l)?1:0; } - if (i >= a->top) + if (w && i==a->top) + { + if (bn_wexpand(a,a->top+1) == NULL) return 0; a->top++; + a->d[i]=w; + } bn_check_top(a); return(1); } -- 2.25.1