sshbn.c (modmul): Prevent buffer underrun.

[u/mdw/putty] / sshbn.c

diff --git a/sshbn.c b/sshbn.c
index 5567e56..da24978 100644 (file)
--- a/sshbn.c
+++ b/sshbn.c
@@ -1015,6 +1015,12 @@ Bignum modmul(Bignum p, Bignum q, Bignum mod)
 
     pqlen = (p[0] > q[0] ? p[0] : q[0]);
 
+    /* Make sure that we're allowing enough space.  The shifting below will
+     * underflow the vectors we allocate if `pqlen' is too small.
+     */
+    if (2*pqlen <= mlen)
+        pqlen = mlen/2 + 1;
+
     /* Allocate n of size pqlen, copy p to n */
     n = snewn(pqlen, BignumInt);
     i = pqlen - p[0];