Avoid creating an illegal pointer

Found by tis-interpreter

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1106

diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index a456ce8ce0cc82069a800e6e65f32603ddc271b7..eef1b878c810c9eb3841ea09f7fea204b628ebf0 100644 (file)
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -278,6 +278,9 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
             res->top--;
     }
 
             res->top--;
     }
 

+    /* Increase the resp pointer so that we never create an invalid pointer. */
+    resp++;
+

     /*
      * if res->top == 0 then clear the neg value otherwise decrease the resp
      * pointer
     /*
      * if res->top == 0 then clear the neg value otherwise decrease the resp
      * pointer


@@ -287,7 +290,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
     else
         resp--;
 
     else
         resp--;
 

-    for (i = 0; i < loop - 1; i++, wnump--, resp--) {
+    for (i = 0; i < loop - 1; i++, wnump--) {

         BN_ULONG q, l0;
         /*
          * the first part of the loop uses the top two words of snum and sdiv
         BN_ULONG q, l0;
         /*
          * the first part of the loop uses the top two words of snum and sdiv


@@ -393,6 +396,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
                 (*wnump)++;
         }
         /* store part of the result */
                 (*wnump)++;
         }
         /* store part of the result */

+        resp--;

         *resp = q;
     }
     bn_correct_top(snum);
         *resp = q;
     }
     bn_correct_top(snum);