Date: Thu, 08 Nov 2012 20:39:29 +0100 From: Michiel Boland <michiel@boland.org> To: Jan Mikkelsen <janm@transactionware.com> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: dc(1) fails with "big number failure" on 2^64 Message-ID: <509C0A71.1060309@boland.org> In-Reply-To: <509BFAA1.8000201@xs4all.nl> References: <2ABD38E2-A9F7-4AD3-9364-B21F6566F7CB@transactionware.com> <509BFAA1.8000201@xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/08/2012 19:32, Michiel Boland wrote:
[...]
> No fix, but I see a problem in the BN_add_word function in
> /usr/src/crypto/openssl/crypto/bn/bn_word.c
Small test case:-
#include <openssl/bn.h>
#include <limits.h>
int main()
{
BIGNUM *n;
n = BN_new();
BN_set_word(n, ULONG_MAX - 1);
BN_add_word(n, 2);
BN_free(n);
return 0;
}
$ gcc x.c -lcrypto
$ valgrind ./a.out
==30682== Memcheck, a memory error detector
==30682== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==30682== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==30682== Command: ./a.out
==30682==
==30682== Invalid write of size 8
==30682== at 0x1328EA8: BN_add_word (bn_word.c:158)
==30682== by 0x40076E: main (in /usr/home/boland/a.out)
==30682== Address 0x18fc0a8 is 0 bytes after a block of size 8 alloc'd
==30682== at 0x100410B: malloc (in
/usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==30682== by 0x1331B82: CRYPTO_malloc (mem.c:328)
==30682== by 0x1330F76: ??? (bn_lib.c:317)
==30682== by 0x13310C7: bn_expand2 (bn_lib.c:432)
==30682== by 0x133121C: BN_set_word (bn_lib.c:570)
==30682== by 0x400760: main (in /usr/home/boland/a.out)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?509C0A71.1060309>