From 7429872b74c8216bbf15e241e47aba94369ef083 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 10 Nov 2014 07:50:18 +0100
Subject: [PATCH] when exporting curve coordinates to X9.63 format, perform additional sanity checks on input

Reported by Sean Burford.
---
 lib/gnutls_ecc.c |   25 +++++++++++++++++++++++--
 1 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/lib/gnutls_ecc.c b/lib/gnutls_ecc.c
index 51abe7b..78d6b26 100644
--- a/lib/gnutls_ecc.c
+++ b/lib/gnutls_ecc.c
@@ -53,20 +53,41 @@ _gnutls_ecc_ansi_x963_export (gnutls_ecc_curve_t curve, bigint_t x, bigint_t y,
 
   /* pad and store x */
   byte_size = (_gnutls_mpi_get_nbits (x) + 7) / 8;
+  if (numlen < byte_size)
+    {
+      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+      goto cleanup;
+    }
+
   size = out->size - (1 + (numlen - byte_size));
   ret = _gnutls_mpi_print (x, &out->data[1 + (numlen - byte_size)], &size);
   if (ret < 0)
-    return gnutls_assert_val (ret);
+    {
+      gnutls_assert();
+      goto cleanup;
+    }
 
   byte_size = (_gnutls_mpi_get_nbits (y) + 7) / 8;
+  if (numlen < byte_size)
+    {
+      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+      goto cleanup;
+    }
+
   size = out->size - (1 + (numlen + numlen - byte_size));
   ret =
     _gnutls_mpi_print (y, &out->data[1 + numlen + numlen - byte_size], &size);
   if (ret < 0)
-    return gnutls_assert_val (ret);
+    {
+      gnutls_assert();
+      goto cleanup;
+    }
 
   /* pad and store y */
   return 0;
+cleanup:
+  _gnutls_free_datum(out);
+  return ret;
 }
 
 
-- 
1.7.1