From 4f44df96dc33d091a71b0826916870758c55d9ec Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Mon, 24 Aug 2020 22:48:52 +1000 Subject: [PATCH] MP: integer OOB write fix mp_to_unsigned_bin_len() now checks length passed in is greater than or equal length to write. --- wolfcrypt/src/integer.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index c7d2c7e34..6eaff1a62 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -321,9 +321,14 @@ int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c) len = mp_unsigned_bin_size(a); + if (len > c) { + return MP_VAL; + } + /* pad front w/ zeros to match length */ - for (i = 0; i < c - len; i++) - b[i] = 0x00; + for (i = 0; i < c - len; i++) { + b[i] = 0x00; + } return mp_to_unsigned_bin(a, b + i); }