overflow in ecc_ansi_x963_export
Karel Miko
8 years ago
| 29 | 29 | int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen) |
| 30 | 30 | { |
| 31 | 31 | unsigned char buf[ECC_BUF_SIZE]; |
| 32 | unsigned long numlen; | |
| 32 | unsigned long numlen, xlen, ylen; | |
| 33 | 33 | |
| 34 | 34 | LTC_ARGCHK(key != NULL); |
| 35 | 35 | LTC_ARGCHK(out != NULL); |
| 39 | 39 | return CRYPT_INVALID_ARG; |
| 40 | 40 | } |
| 41 | 41 | numlen = key->dp->size; |
| 42 | xlen = mp_unsigned_bin_size(key->pubkey.x); | |
| 43 | ylen = mp_unsigned_bin_size(key->pubkey.y); | |
| 44 | ||
| 45 | if (xlen > numlen || ylen > numlen || sizeof(buf) < numlen) { | |
| 46 | return CRYPT_BUFFER_OVERFLOW; | |
| 47 | } | |
| 42 | 48 | |
| 43 | 49 | if (*outlen < (1 + 2*numlen)) { |
| 44 | 50 | *outlen = 1 + 2*numlen; |
| 50 | 56 | |
| 51 | 57 | /* pad and store x */ |
| 52 | 58 | zeromem(buf, sizeof(buf)); |
| 53 | mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - mp_unsigned_bin_size(key->pubkey.x))); | |
| 59 | mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - xlen)); | |
| 54 | 60 | XMEMCPY(out+1, buf, numlen); |
| 55 | 61 | |
| 56 | 62 | /* pad and store y */ |
| 57 | 63 | zeromem(buf, sizeof(buf)); |
| 58 | mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - mp_unsigned_bin_size(key->pubkey.y))); | |
| 64 | mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - ylen)); | |
| 59 | 65 | XMEMCPY(out+1+numlen, buf, numlen); |
| 60 | 66 | |
| 61 | 67 | *outlen = 1 + 2*numlen; |