when exporting curve coordinates to X9.63 format, perform additional sanity checks on input

Reported by Sean Burford.

1 files changed, 21 insertions, 4 deletions

diff --git a/lib/gnutls_ecc.c b/lib/gnutls_ecc.c
index 774b5b6d10..abc532b8af 100644
--- a/lib/gnutls_ecc.c
+++ b/lib/gnutls_ecc.c
@@ -53,24 +53,41 @@ _gnutls_ecc_ansi_x963_export(gnutls_ecc_curve_t curve, bigint_t x,
 
 	/* pad and store x */
 	byte_size = (_gnutls_mpi_get_nbits(x) + 7) / 8;
+	if (numlen < byte_size) {
+		ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		goto cleanup;
+	}
+
 	size = out->size - (1 + (numlen - byte_size));
 	ret =
 	    _gnutls_mpi_print(x, &out->data[1 + (numlen - byte_size)],
 			      &size);
-	if (ret < 0)
-		return gnutls_assert_val(ret);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
 
 	byte_size = (_gnutls_mpi_get_nbits(y) + 7) / 8;
+	if (numlen < byte_size) {
+		ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		goto cleanup;
+	}
+
 	size = out->size - (1 + (numlen + numlen - byte_size));
 	ret =
 	    _gnutls_mpi_print(y,
 			      &out->data[1 + numlen + numlen - byte_size],
 			      &size);
-	if (ret < 0)
-		return gnutls_assert_val(ret);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
 
 	/* pad and store y */
 	return 0;
+ cleanup:
+ 	_gnutls_free_datum(out);
+ 	return ret;
 }