overflow in ecc_ansi_x963_export
Karel Miko
8 years ago
29 | 29 | int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen) |
30 | 30 | { |
31 | 31 | unsigned char buf[ECC_BUF_SIZE]; |
32 | unsigned long numlen; | |
32 | unsigned long numlen, xlen, ylen; | |
33 | 33 | |
34 | 34 | LTC_ARGCHK(key != NULL); |
35 | 35 | LTC_ARGCHK(out != NULL); |
39 | 39 | return CRYPT_INVALID_ARG; |
40 | 40 | } |
41 | 41 | numlen = key->dp->size; |
42 | xlen = mp_unsigned_bin_size(key->pubkey.x); | |
43 | ylen = mp_unsigned_bin_size(key->pubkey.y); | |
44 | ||
45 | if (xlen > numlen || ylen > numlen || sizeof(buf) < numlen) { | |
46 | return CRYPT_BUFFER_OVERFLOW; | |
47 | } | |
42 | 48 | |
43 | 49 | if (*outlen < (1 + 2*numlen)) { |
44 | 50 | *outlen = 1 + 2*numlen; |
50 | 56 | |
51 | 57 | /* pad and store x */ |
52 | 58 | zeromem(buf, sizeof(buf)); |
53 | mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - mp_unsigned_bin_size(key->pubkey.x))); | |
59 | mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - xlen)); | |
54 | 60 | XMEMCPY(out+1, buf, numlen); |
55 | 61 | |
56 | 62 | /* pad and store y */ |
57 | 63 | zeromem(buf, sizeof(buf)); |
58 | mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - mp_unsigned_bin_size(key->pubkey.y))); | |
64 | mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - ylen)); | |
59 | 65 | XMEMCPY(out+1+numlen, buf, numlen); |
60 | 66 | |
61 | 67 | *outlen = 1 + 2*numlen; |