Address potential buffer overflows.

Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3878)
author: Pauli <paul.dale@oracle.com> 2017-07-07 02:17:59 +0200
committer: Pauli <paul.dale@oracle.com> 2017-07-07 05:37:06 +0200
commit: 86ba26c80a49aee3c588d286d91eb3843529f7e2 (patch)
tree: 36b8d1ee9730e7cd1cd95e976fd2d7b5816441f0 /crypto/bn
parent: change return (x) to return x (diff)
download: openssl-86ba26c80a49aee3c588d286d91eb3843529f7e2.tar.xz
openssl-86ba26c80a49aee3c588d286d91eb3843529f7e2.zip
1 files changed, 15 insertions, 12 deletions
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index 956b2d520f..9f849978d8 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -52,7 +52,7 @@ char *BN_bn2hex(const BIGNUM *a)
 /* Must 'OPENSSL_free' the returned data */
 char *BN_bn2dec(const BIGNUM *a)
 {
-    int i = 0, num, ok = 0;
+    int i = 0, num, ok = 0, n, tbytes;
     char *buf = NULL;
     char *p;
     BIGNUM *t = NULL;
@@ -67,9 +67,10 @@ char *BN_bn2dec(const BIGNUM *a)
      */
     i = BN_num_bits(a) * 3;
     num = (i / 10 + i / 1000 + 1) + 1;
+    tbytes = num + 3;   /* negative and terminator and one spare? */
     bn_data_num = num / BN_DEC_NUM + 1;
     bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
-    buf = OPENSSL_malloc(num + 3);
+    buf = OPENSSL_malloc(tbytes);
     if ((buf == NULL) || (bn_data == NULL)) {
         BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -100,14 +101,16 @@ char *BN_bn2dec(const BIGNUM *a)
          * the last one needs truncation. The blocks need to be reversed in
          * order.
          */
-        sprintf(p, BN_DEC_FMT1, *lp);
-        while (*p)
-            p++;
+        n = BIO_snprintf(p, tbytes - (size_t)(p - buf), BN_DEC_FMT1, *lp);
+        if (n < 0)
+            goto err;
+        p += n;
         while (lp != bn_data) {
             lp--;
-            sprintf(p, BN_DEC_FMT2, *lp);
-            while (*p)
-                p++;
+            n = BIO_snprintf(p, tbytes - (size_t)(p - buf), BN_DEC_FMT2, *lp);
+            if (n < 0)
+                goto err;
+            p += n;
         }
     }
     ok = 1;
@@ -331,11 +334,11 @@ char *BN_options(void)
     if (!init) {
         init++;
 #ifdef BN_LLONG
-        sprintf(data, "bn(%d,%d)",
-                (int)sizeof(BN_ULLONG) * 8, (int)sizeof(BN_ULONG) * 8);
+        BIO_snprintf(data, sizeof(data), "bn(%zu,%zu)",
+                     sizeof(BN_ULLONG) * 8, sizeof(BN_ULONG) * 8);
 #else
-        sprintf(data, "bn(%d,%d)",
-                (int)sizeof(BN_ULONG) * 8, (int)sizeof(BN_ULONG) * 8);
+        BIO_snprintf(data, sizeof(data), "bn(%zu,%zu)",
+                     sizeof(BN_ULONG) * 8, sizeof(BN_ULONG) * 8);
 #endif
     }
     return data;
author	Pauli <paul.dale@oracle.com>	2017-07-07 02:17:59 +0200
committer	Pauli <paul.dale@oracle.com>	2017-07-07 05:37:06 +0200
commit	86ba26c80a49aee3c588d286d91eb3843529f7e2 (patch)
tree	36b8d1ee9730e7cd1cd95e976fd2d7b5816441f0 /crypto/bn
parent	change return (x) to return x (diff)
download	openssl-86ba26c80a49aee3c588d286d91eb3843529f7e2.tar.xz openssl-86ba26c80a49aee3c588d286d91eb3843529f7e2.zip