Fix buffer overflow in mpi_write_string() Fix a buffer overflow when writting a string representation of an MPI number to a buffer in hexadecimal. The problem occurs because hex digits are written in pairs and this is not accounted for in the calculation of the required buffer size when the number of digits is odd.

commit: 2b2fc115df493296ea9dd047d6b52aec7297c0cc [log] [tgz]
author: Andres AG <andres.amayagarcia@arm.com> Wed Mar 01 14:04:08 2017 +0000
committer: Simon Butcher <simon.butcher@arm.com> Thu Mar 02 23:01:54 2017 +0000
tree: 93c10b3d04e2696cc145f28cbc1bba3fc4a8decb
parent: c066af670baa44378878bff985728f2ec958d03b [diff] [blame]
diff --git a/library/bignum.c b/library/bignum.c
index 4fe841c..afde19b 100644
--- a/library/bignum.c
+++ b/library/bignum.c

@@ -538,7 +538,12 @@
     n = mpi_msb( X );
     if( radix >=  4 ) n >>= 1;
     if( radix >= 16 ) n >>= 1;
-    n += 3;
+    /*
+     * Round up the buffer length to an even value to ensure that there is
+     * enough room for hexadecimal values that can be represented in an odd
+     * number of digits.
+     */
+    n += 3 + ( ( n + 1 ) & 1 );
 
     if( *slen < n )
     {
commit	2b2fc115df493296ea9dd047d6b52aec7297c0cc	[log] [tgz]
author	Andres AG <andres.amayagarcia@arm.com>	Wed Mar 01 14:04:08 2017 +0000
committer	Simon Butcher <simon.butcher@arm.com>	Thu Mar 02 23:01:54 2017 +0000
tree	93c10b3d04e2696cc145f28cbc1bba3fc4a8decb
parent	c066af670baa44378878bff985728f2ec958d03b [diff] [blame]