Fix overflow in bnrand()

Fixes #23704 Change-Id: I0352fdf7cbca6c9db5f2d662e0a29ac318111382 Jira: SECLIB-799
openssl · Feb 29, 2024 · 4eefbee · 4eefbee
1 parent 2d70cc9
commit 4eefbee
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
@@ -36,8 +36,8 @@ static int bnrand(BNRAND_FLAG flag, BIGNUM *rnd, int bits, int top, int bottom,
     if (bits < 0 || (bits == 1 && top > 0))
         goto toosmall;
 
-    bytes = (bits + 7) / 8;
     bit = (bits - 1) % 8;
+    bytes = bits / 8 + (14 - bit) / 8;  /* Same as (bits + 7) / 8 but can't overflow */
     mask = 0xff << (bit + 1);
 
     buf = OPENSSL_malloc(bytes);