bn_div() does some pretty nasty things with temporary variables,

constructing BIGNUM structures with pointers offset into other bignums
(among other things). This corrects some of it that is too plainly insane,
and tries to ensure that bignums are normalised when passed to other
functions.

diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index b2efe5bb53206cd09c8f96c1ed050373d63e62f3..0fe58dbf69211a1c526c884c30b61ed11bd8b1a0 100644 (file)
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -227,9 +227,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
         * This is the part that corresponds to the current
         * 'area' being divided */
        BN_init(&wnum);
+       wnum.flags = BN_FLG_STATIC_DATA; /* prevent accidental "expands" */
        wnum.d=  &(snum->d[loop]);
        wnum.top= div_n;
-       wnum.dmax= snum->dmax+1; /* a bit of a lie */
+       wnum.dmax= snum->dmax - loop; /* so we don't step out of bounds */
 
        /* Get the top 2 words of sdiv */
        /* i=sdiv->top; */
@@ -248,6 +249,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
        /* space for temp */
        if (!bn_wexpand(tmp,(div_n+1))) goto err;
 
+       bn_fix_top(&wnum);
        if (BN_ucmp(&wnum,sdiv) >= 0)
                {
                if (!BN_usub(&wnum,&wnum,sdiv)) goto err;
@@ -346,7 +348,7 @@ X) -> 0x%08X\n",
 #endif /* !BN_DIV3W */
 
                l0=bn_mul_words(tmp->d,sdiv->d,div_n,q);
-               wnum.d--; wnum.top++;
+               wnum.d--; wnum.top++; wnum.dmax++;
                tmp->d[div_n]=l0;
                /* XXX: Couldn't we replace this with;
                 *    tmp->top = div_n;