bignum_set_bit: Don't abort if asked to clear an inaccessible bit

All those bits are clear anyway. Bug found with the help of afl-fuzz. (cherry picked from commit 4f34059902)
2015-10-11 09:27:55 +01:00 · 2015-10-11 09:27:55 +01:00 · d03024905e
--- a/sshbn.c
+++ b/sshbn.c
@ -1202,9 +1202,9 @@ int bignum_bit(Bignum bn, int i)
 */
 void bignum_set_bit(Bignum bn, int bitnum, int value)
 {
-    if (bitnum < 0 || bitnum >= (int)(BIGNUM_INT_BITS * bn[0]))
-	abort();		       /* beyond the end */
-    else {
+    if (bitnum < 0 || bitnum >= (int)(BIGNUM_INT_BITS * bn[0])) {
+        if (value) abort();		       /* beyond the end */
+    } else {
 	int v = bitnum / BIGNUM_INT_BITS + 1;
 	BignumInt mask = (BignumInt)1 << (bitnum % BIGNUM_INT_BITS);
 	if (value)