From a990b40e6d87ee721e36986e60fe36b7a033729c Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 22 Jun 2022 09:03:06 +0000
Subject: [PATCH] Error out on negative shifts in BN_{r,l}shift()

Without these checks in both functions nw = n / BN_BITS2 will be negative
and this leads to out-of-bounds accesses via negative array indices and
memset with a negative size.

Pointed out by cheloha

ok jsing
---
 lib/libcrypto/bn/bn_shift.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/libcrypto/bn/bn_shift.c b/lib/libcrypto/bn/bn_shift.c
index 0e8211e3d60..e89e157446c 100644
--- a/lib/libcrypto/bn/bn_shift.c
+++ b/lib/libcrypto/bn/bn_shift.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_shift.c,v 1.13 2014/10/28 07:35:58 jsg Exp $ */
+/* $OpenBSD: bn_shift.c,v 1.14 2022/06/22 09:03:06 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,6 +59,8 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <openssl/err.h>
+
 #include "bn_lcl.h"
 
 int
@@ -138,6 +140,11 @@ BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
 	BN_ULONG *t, *f;
 	BN_ULONG l;
 
+	if (n < 0) {
+		BNerror(BN_R_INVALID_LENGTH);
+		return 0;
+	}
+
 	bn_check_top(r);
 	bn_check_top(a);
 
@@ -175,6 +182,11 @@ BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
 	BN_ULONG *t, *f;
 	BN_ULONG l, tmp;
 
+	if (n < 0) {
+		BNerror(BN_R_INVALID_LENGTH);
+		return 0;
+	}
+
 	bn_check_top(r);
 	bn_check_top(a);
 
-- 
2.20.1