From 07b04ff7268a454ef8017270283d1c8f90c23ffc Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Wed, 8 Jun 2016 06:03:19 -0700
Subject: Fix out-of-bounds memory access in bit.

* mpi/mpi.c (mp_bit): If the digit index is beyond
the available digits in the number, report MP_NO rather than
accessing undefined digit material or beyond the array
entirely.
---
 mpi/mpi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'mpi/mpi.c')

diff --git a/mpi/mpi.c b/mpi/mpi.c
index cb6567a5..178b5fee 100644
--- a/mpi/mpi.c
+++ b/mpi/mpi.c
@@ -2781,7 +2781,7 @@ mp_err mp_bit(mp_int *a, mp_digit bit)
     a = &tmp;
   }
 
-  return (DIGITS(a)[digit] & mask) != 0 ? MP_YES : MP_NO;
+  return (digit < USED(a) && (DIGITS(a)[digit] & mask) != 0) ? MP_YES : MP_NO;
 }
 
 mp_err mp_to_double(mp_int *mp, double *d)
-- 
cgit v1.2.3