From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 29 Jul 2013 22:28:12 +0000 (+0100)
Subject: sshbn.c (modmul): Prevent buffer underrun.
X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/commitdiff_plain/aca5132bdf53bf0d7983c09b3b95c8bbec559580

sshbn.c (modmul): Prevent buffer underrun.

In `modmul', if

  * the topmost bit of mod is clear, so mshift is nonzero; and

  * both p and q are no more than half as long as mod, so 2*pqlen <=
    mlen

then we run this code:

    if (mshift) {
        for (i = 2 * pqlen - mlen - 1; i < 2 * pqlen - 1; i++)
            a[i] = (a[i] << mshift) | (a[i + 1] >> (BIGNUM_INT_BITS - mshift));

But then mlen + 1 > 2*pqlen and therefore i is initially negative
-- and therefore certainly less than 2*pqlen.  So the initial access to
a[] is illegal.

Signed-off-by: Mark Wooding <mdw@distorted.org.uk>
---

diff --git a/sshbn.c b/sshbn.c
index 5567e56c..da249781 100644
--- a/sshbn.c
+++ b/sshbn.c
@@ -1015,6 +1015,12 @@ Bignum modmul(Bignum p, Bignum q, Bignum mod)
 
     pqlen = (p[0] > q[0] ? p[0] : q[0]);
 
+    /* Make sure that we're allowing enough space.  The shifting below will
+     * underflow the vectors we allocate if `pqlen' is too small.
+     */
+    if (2*pqlen <= mlen)
+        pqlen = mlen/2 + 1;
+
     /* Allocate n of size pqlen, copy p to n */
     n = snewn(pqlen, BignumInt);
     i = pqlen - p[0];