Fix overflow check in BN_bn2dec()
authorKazuki Yamaguchi <k@rhe.jp>
Sun, 21 Aug 2016 17:36:36 +0000 (02:36 +0900)
committerMatt Caswell <matt@openssl.org>
Mon, 22 Aug 2016 16:07:34 +0000 (17:07 +0100)
Fix an off by one error in the overflow check added by 07bed46f332fc
("Check for errors in BN_bn2dec()").

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 099e2968ed3c7d256cda048995626664082b1b30)

crypto/bn/bn_print.c

index b44403e..a9ff271 100644 (file)
@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a)
         if (BN_is_negative(t))
             *p++ = '-';
 
-        i = 0;
         while (!BN_is_zero(t)) {
+            if (lp - bn_data >= bn_data_num)
+                goto err;
             *lp = BN_div_word(t, BN_DEC_CONV);
             if (*lp == (BN_ULONG)-1)
                 goto err;
             lp++;
-            if (lp - bn_data >= bn_data_num)
-                goto err;
         }
         lp--;
         /*