[openssl-commits] [openssl] OpenSSL_1_0_0-stable update

Matt Caswell matt at openssl.org
Thu Jun 4 08:35:12 UTC 2015


The branch OpenSSL_1_0_0-stable has been updated
       via  0d3a7e7c9147357ca69993944a279cd0931963d5 (commit)
      from  a85eef72f5c12b1efbcf7abcbbabf0140fb997bf (commit)


- Log -----------------------------------------------------------------
commit 0d3a7e7c9147357ca69993944a279cd0931963d5
Author: Matt Caswell <matt at openssl.org>
Date:   Tue May 19 13:59:47 2015 +0100

    Fix off-by-one error in BN_bn2hex
    
    A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
    for this and can allocate a buffer one byte too short in the event of -0
    being used, leading to a one byte buffer overrun. All usage within the
    OpenSSL library is considered safe. Any security risk is considered
    negligible.
    
    With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
    Filip Palian for discovering and reporting this issue.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit c56353071d9849220714d8a556806703771b9269)
    
    Conflicts:
    	crypto/bn/bn_print.c

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_print.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index a55836f..937d513 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -71,7 +71,12 @@ char *BN_bn2hex(const BIGNUM *a)
     char *buf;
     char *p;
 
-    buf = (char *)OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+    if (a->neg && BN_is_zero(a)) {
+        /* "-0" == 3 bytes including NULL terminator */
+        buf = OPENSSL_malloc(3);
+    } else {
+        buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
+    }
     if (buf == NULL) {
         BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE);
         goto err;


More information about the openssl-commits mailing list