File openssl-CVE-2016-2182.patch of Package compat-openssl098.14113

commit 28a89639da50b1caed4ff3015508f23173bf3e49
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Fri Aug 5 14:26:03 2016 +0100

    Check for errors in BN_bn2dec()
    
    If an oversize BIGNUM is presented to BN_bn2dec() it can cause
    BN_div_word() to fail and not reduce the value of 't' resulting
    in OOB writes to the bn_data buffer and eventually crashing.
    
    Fix by checking return value of BN_div_word() and checking writes
    don't overflow buffer.
    
    Thanks to Shi Lei for reporting this bug.
    
    CVE-2016-2182
    
    Reviewed-by: Tim Hudson <tjh@openssl.org>
    (cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
    
    Conflicts:
    	crypto/bn/bn_print.c

commit ff0571b10c5e95f72daed39a30e5b18667f4d51e
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Fri Aug 5 14:33:03 2016 +0100

    Check for errors in a2d_ASN1_OBJECT()
    
    Check for error return in BN_div_word().
    
    Reviewed-by: Tim Hudson <tjh@openssl.org>
    (cherry picked from commit 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa)

commit 3612ff6fcec0e3d1f2a598135fe12177c0419582
Author: Kazuki Yamaguchi <k@rhe.jp>
Date:   Mon Aug 22 02:36:36 2016 +0900

    Fix overflow check in BN_bn2dec()
    
    Fix an off by one error in the overflow check added by 07bed46f332fc
    ("Check for errors in BN_bn2dec()").
    
    Reviewed-by: Stephen Henson <steve@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    (cherry picked from commit 099e2968ed3c7d256cda048995626664082b1b30)

Index: openssl-0.9.8j/crypto/bn/bn_print.c
===================================================================
--- openssl-0.9.8j.orig/crypto/bn/bn_print.c	2016-09-05 15:03:50.969408457 +0200
+++ openssl-0.9.8j/crypto/bn/bn_print.c	2016-09-05 15:05:33.327086548 +0200
@@ -108,6 +108,7 @@ char *BN_bn2dec(const BIGNUM *a)
 	char *p;
 	BIGNUM *t=NULL;
 	BN_ULONG *bn_data=NULL,*lp;
+	int bn_data_num;
 
 	/* get an upper bound for the length of the decimal integer
 	 * num <= (BN_num_bits(a) + 1) * log(2)
@@ -116,8 +117,9 @@ char *BN_bn2dec(const BIGNUM *a)
 	 */
 	i=BN_num_bits(a)*3;
 	num=(i/10+i/1000+1)+1;
-	bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));
-	buf=(char *)OPENSSL_malloc(num+3);
+	bn_data_num = num / BN_DEC_NUM + 1;
+	bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
+	buf = OPENSSL_malloc(num + 3);
 	if ((buf == NULL) || (bn_data == NULL))
 		{
 		BNerr(BN_F_BN_BN2DEC,ERR_R_MALLOC_FAILURE);
@@ -141,7 +143,11 @@ char *BN_bn2dec(const BIGNUM *a)
 		i=0;
 		while (!BN_is_zero(t))
 			{
+			if (lp - bn_data >= bn_data_num)
+				goto err;
 			*lp=BN_div_word(t,BN_DEC_CONV);
+			if (*lp == (BN_ULONG)-1)
+				goto err;
 			lp++;
 			}
 		lp--;
Index: openssl-0.9.8j/crypto/asn1/a_object.c
===================================================================
--- openssl-0.9.8j.orig/crypto/asn1/a_object.c	2016-09-05 15:03:50.733404578 +0200
+++ openssl-0.9.8j/crypto/asn1/a_object.c	2016-09-05 15:03:51.045409705 +0200
@@ -186,8 +186,13 @@ int a2d_ASN1_OBJECT(unsigned char *out,
 				if (!tmp)
 					goto err;
 				}
-			while(blsize--)
-				tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L);
+			while (blsize--)
+				{
+				BN_ULONG t = BN_div_word(bl, 0x80L);
+				if (t == (BN_ULONG)-1)
+					goto err;
+				tmp[i++] = (unsigned char)t;
+				}
 			}
 		else
 			{
openSUSE Build Service is sponsored by