Check for errors in BN_bn2dec()

[openssl.git] / crypto / bn / bn_print.c

diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index 78589dba5bdb3549f92290ee3004774e6dc3fba2..f6030ff14cc6cb4cacad7b95229e565b7a95acd0 100644 (file)
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -62,6 +62,7 @@ char *BN_bn2dec(const BIGNUM *a)
     char *p;
     BIGNUM *t = NULL;
     BN_ULONG *bn_data = NULL, *lp;
+    int bn_data_num;
 
     /*-
      * get an upper bound for the length of the decimal integer
@@ -71,7 +72,8 @@ char *BN_bn2dec(const BIGNUM *a)
      */
     i = BN_num_bits(a) * 3;
     num = (i / 10 + i / 1000 + 1) + 1;
-    bn_data = OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+    bn_data_num = num / BN_DEC_NUM + 1;
+    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
     buf = OPENSSL_malloc(num + 3);
     if ((buf == NULL) || (bn_data == NULL)) {
         BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
@@ -93,7 +95,11 @@ char *BN_bn2dec(const BIGNUM *a)
         i = 0;
         while (!BN_is_zero(t)) {
             *lp = BN_div_word(t, BN_DEC_CONV);
+            if (*lp == (BN_ULONG)-1)
+                goto err;
             lp++;
+            if (lp - bn_data >= bn_data_num)
+                goto err;
         }
         lp--;
         /*
@@ -241,8 +247,9 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
         l += *a - '0';
         a++;
         if (++j == BN_DEC_NUM) {
-            BN_mul_word(ret, BN_DEC_CONV);
-            BN_add_word(ret, l);
+            if (!BN_mul_word(ret, BN_DEC_CONV)
+                || !BN_add_word(ret, l))
+                goto err;
             l = 0;
             j = 0;
         }