Fix a dangerous cross-thread memory access.

[PuTTY.git] / sshbn.c

diff --git a/sshbn.c b/sshbn.c
index cbd710d5aea4bd68d39a103274166b26af963241..b1ea5d63c488cde28e8744285a2368601863f56b 100644 (file)
--- a/sshbn.c
+++ b/sshbn.c
@@ -607,6 +607,7 @@ static void internal_add_shifted(BignumInt *number,
     addend = (BignumDblInt)n << bshift;
 
     while (addend) {
+        assert(word <= number[0]);
        addend += number[word];
        number[word] = (BignumInt) addend & BIGNUM_INT_MASK;
        addend >>= BIGNUM_INT_BITS;
@@ -1322,6 +1323,12 @@ int bignum_cmp(Bignum a, Bignum b)
     int amax = a[0], bmax = b[0];
     int i;
 
+    /* Annoyingly we have two representations of zero */
+    if (amax == 1 && a[amax] == 0)
+        amax = 0;
+    if (bmax == 1 && b[bmax] == 0)
+        bmax = 0;
+
     assert(amax == 0 || a[amax] != 0);
     assert(bmax == 0 || b[bmax] != 0);
 
@@ -1603,6 +1610,8 @@ Bignum bigdiv(Bignum a, Bignum b)
 {
     Bignum q = newbn(a[0]);
     bigdivmod(a, b, NULL, q);
+    while (q[0] > 1 && q[q[0]] == 0)
+        q[0]--;
     return q;
 }
 
@@ -1613,6 +1622,8 @@ Bignum bigmod(Bignum a, Bignum b)
 {
     Bignum r = newbn(b[0]);
     bigdivmod(a, b, r, NULL);
+    while (r[0] > 1 && r[r[0]] == 0)
+        r[0]--;
     return r;
 }
 
@@ -1672,6 +1683,8 @@ Bignum modinv(Bignum number, Bignum modulus)
        bigdivmod(a, b, t, q);
        while (t[0] > 1 && t[t[0]] == 0)
            t[0]--;
+       while (q[0] > 1 && q[q[0]] == 0)
+           q[0]--;
        freebn(a);
        a = b;
        b = t;