bn_word.c: fix overflow bug in BN_add_word.

author Andy Polyakov <appro@openssl.org>

Fri, 9 Nov 2012 13:58:40 +0000 (13:58 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Tue, 5 Feb 2013 16:50:36 +0000 (16:50 +0000)
author Andy Polyakov <appro@openssl.org>
Fri, 9 Nov 2012 13:58:40 +0000 (13:58 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Tue, 5 Feb 2013 16:50:36 +0000 (16:50 +0000)
diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c

index ee7b87c45ccd38839db6261ed81c2d87b9e881b5..de83a15b99c53c0da9c07b1619153b9240359e18 100644 (file)
--- a/crypto/bn/bn_word.c
+++ b/crypto/bn/bn_word.c
@@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
                         a->neg=!(a->neg);
                 return(i);
                 }
-       /* Only expand (and risk failing) if it's possibly necessary */
-       if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) &&
-                       (bn_wexpand(a,a->top+1) == NULL))
-               return(0);
-       i=0;
-       for (;;)
+       for (i=0;w!=0 && i<a->top;i++)
                 {
-               if (i >= a->top)
-                       l=w;
-               else
-                       l=(a->d[i]+w)&BN_MASK2;
-               a->d[i]=l;
-               if (w > l)
-                       w=1;
-               else
-                       break;
-               i++;
+               a->d[i] = l = (a->d[i]+w)&BN_MASK2;
+               w = (w>l)?1:0;
                 }
-       if (i >= a->top)
+       if (w && i==a->top)
+               {
+               if (bn_wexpand(a,a->top+1) == NULL) return 0;
                 a->top++;
+               a->d[i]=w;
+               }
         bn_check_top(a);
         return(1);
         }
author	Andy Polyakov <appro@openssl.org>
	Fri, 9 Nov 2012 13:58:40 +0000 (13:58 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Tue, 5 Feb 2013 16:50:36 +0000 (16:50 +0000)