| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a more complete fix for CVE-2016-2182. The original commit
message was:
"If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.
Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.
Thanks to Shi Lei for reporting this bug."
BoringSSL's rewrite commit message:
"958aaf1ea1b481e8ef32970d5b0add80504be4b2, imported from upstream, had
an off-by-one error. Reproducing the failure is fairly easy as it can't
even serialize 1. See also upstream's
099e2968ed3c7d256cda048995626664082b1b30.
Rewrite the function completely with CBB and add a basic test.
BUG=chromium:639740"
CVE-2016-2182
Change-Id: I41a91514c4bb9e83854824ed5258ffe4e49d9491
Bug: 32096880
(cherry picked from commit 29b92ab938c1a17d4d1b3b039042a0f499f58b5d)
(cherry picked from commit 54bf62a81586d99d0a951ca3342d569b59e69b80
with adaptations from <sultanxda@gmail.com>)
|
| |
|
|
|
|
| |
This change bumps the BoringSSL revision to the current tip-of-tree.
Change-Id: I91d5bf467e16e8d86cb19a4de873985f524e5faa
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When |BN_dec2bn| and |BN_hex2bn| were merged (way back in the initial
BoringSSL change), the neg flag was set too soon and could be cleared by
|BN_add_word|.
This is an import of upstream's c85573cc. The unittest change isn't
included here because bn_test.c has changed significantly in upstream
and BoringSSL unittests aren't run in the Android environment.
Bug: 20523350
Change-Id: Iaf8efe2fe3419218437f5ebb9a15f73559860a0f
|
| |
|
