Fix overflow check in BN_bn2dec()

rhenium · andi34 · commit 42437d1ce6d0 · 2017-03-17T13:45:45.000+01:00
Fix an off by one error in the overflow check added by 07bed46f332fc
("Check for errors in BN_bn2dec()").

Change-Id: I1f193d3ba326e4e36335e708582d0bf1a004d023
Reviewed-by: Stephen Henson &lt;steve@openssl.org&gt;
Reviewed-by: Matt Caswell &lt;matt@openssl.org&gt;
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
@@ -139,15 +139,14 @@ char *BN_bn2dec(const BIGNUM *a)
 		if (BN_is_negative(t))
 			*p++ = '-';
 
-		i=0;
 		while (!BN_is_zero(t))
 			{
+			if (lp - bn_data >= bn_data_num)
+				goto err;
 			*lp=BN_div_word(t,BN_DEC_CONV);
 			if (*lp == (BN_ULONG)-1)
 				goto err;
 			lp++;
-			if (lp - bn_data >= bn_data_num)
-				goto err;
 			}
 		lp--;
 		/* We now have a series of blocks, BN_DEC_NUM chars
