From b757d2d82fd3ed4028d505b645258c9d97115443 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Wed, 22 Feb 2017 13:11:08 -0500 Subject: [PATCH] Iterate over EC_GROUP's poly array in a safe way Prevent that memory beyond the last element is accessed if every element of group->poly[] is non-zero Reviewed-by: Richard Levitte Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2689) (cherry picked from commit 57f48f939ed5d3119e3c691ea0a8a3ac2f4a1a9e) --- crypto/ec/ec_asn1.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 4f4d1edf0e..b6b13d3c10 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -15,15 +15,18 @@ int EC_GROUP_get_basis_type(const EC_GROUP *group) { - int i = 0; + int i; if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != NID_X9_62_characteristic_two_field) /* everything else is currently not supported */ return 0; - while (group->poly[i] != 0) - i++; + /* Find the last non-zero element of group->poly[] */ + for (i = 0; + i < (int)OSSL_NELEM(group->poly) & group->poly[i] != 0; + i++) + continue; if (i == 4) return NID_X9_62_ppBasis; -- 2.25.1