There is a corner-case that causes BN_rshift to crash:
If BIGNUM a is 0, then a->top == 0, and a->d == 0.
For a small n we can get nw == 0 and rb != 0.
In this case we flow through the else below, hit the
indirection, and crash. Notice the for loop will never
execute. A clean solution is to move the assignment
to l inside the loop, as suggested in the comment.
_Matute
f= &(a->d[nw]);
t=r->d;
j=a->top-nw;
r->top=j;
if (rb == 0)
{
for (i=j+1; i > 0; i--)
*(t++)= *(f++);
}
else
{
l= *(f++); /* Remove this */
for (i=1; i<j; i++)
{
tmp =(l>>rb)&BN_MASK2;
/* l = *f++;
tmp = (l >> rb) & BN_MASK2;
*/
....
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
