Allocate ASN1_bn_print buffer internally.

Don't require an application to work out the appropriate buffer size for ASN1_bn_print(), which is unsafe. Ignore the supplied buffer and allocate it internally instead. Reviewed-by: N Viktor Dukhovni <viktor@openssl.org>

Allocate ASN1_bn_print buffer internally.
Don't require an application to work out the appropriate buffer size for ASN1_bn_print(), which is unsafe. Ignore the supplied buffer and allocate it internally instead. Reviewed-by: N Viktor Dukhovni <viktor@openssl.org>
ac3e3665 · Dr. Stephen Henson · 907e9500 · ac3e3665
隐藏空白更改
内联并排

Showing with 28 addition and 18 deletion

crypto/asn1/t_pkey.c crypto/asn1/t_pkey.c +28 -18

未找到文件。
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -91,14 +91,16 @@ int ASN1_buf_print(BIO *bp, unsigned char *buf, size_t buflen, int indent)
 }

 int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
-                  unsigned char *buf, int indent)
+                  unsigned char *ign, int indent)
 {
-    int n;
+    int n, rv = 0;
    const char *neg;
+    unsigned char *buf = NULL, *tmp = NULL;
+    int buflen;

    if (num == NULL)
        return 1;
-    neg = (BN_is_negative(num)) ? "-" : "";
+    neg = BN_is_negative(num) ? "-" : "";
    if (!BIO_indent(bp, indent, ASN1_PRINT_MAX_INDENT))
        return 0;
    if (BN_is_zero(num)) {
@@ -111,21 +113,29 @@ int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
        if (BIO_printf(bp, "%s %s%lu (%s0x%lx)\n", number, neg,
                       (unsigned long)bn_get_words(num)[0], neg,
                       (unsigned long)bn_get_words(num)[0]) <= 0)
-            return (0);
-    } else {
-        buf[0] = 0;
-        if (BIO_printf(bp, "%s%s\n", number,
-                       (neg[0] == '-') ? " (Negative)" : "") <= 0)
-            return (0);
-        n = BN_bn2bin(num, &buf[1]);
-
-        if (buf[1] & 0x80)
-            n++;
-        else
-            buf++;
-
-        if (ASN1_buf_print(bp, buf, n, indent + 4) == 0)
            return 0;
+        return 1;
    }
-    return 1;
+
+    buflen = BN_num_bytes(num) + 1;
+    buf = tmp = OPENSSL_malloc(buflen);
+    if (buf == NULL)
+        goto err;
+    buf[0] = 0;
+    if (BIO_printf(bp, "%s%s\n", number,
+                   (neg[0] == '-') ? " (Negative)" : "") <= 0)
+        goto err;
+    n = BN_bn2bin(num, buf + 1);
+
+    if (buf[1] & 0x80)
+        n++;
+    else
+        tmp++;
+
+    if (ASN1_buf_print(bp, tmp, n, indent + 4) == 0)
+        goto err;
+    rv = 1;
+    err:
+    OPENSSL_clear_free(buf, buflen);
+    return rv;
 }