Check for errors in BN_bn2dec()
authorDr. Stephen Henson <steve@openssl.org>
Fri, 5 Aug 2016 13:26:03 +0000 (14:26 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 15 Aug 2016 23:21:54 +0000 (00:21 +0100)
commite36f27ddb80a48e579783bc29fb3758988342b71
treed85fedd74758d1b038c122cdc1503e30210b5b90
parentd871284aca5524c85a6460119ac1b1e38f7e19c6
Check for errors in BN_bn2dec()

If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)

Conflicts:
crypto/bn/bn_print.c
crypto/bn/bn_print.c