Avoid undefined behavior in probable_prime.

(Imported from upstream's e4676e900f165f5272991443225813002300b09b.) Change-Id: I678e158c223daf2f7f9114f4e743d531fe2e2a93 Reviewed-on: https://boringssl-review.googlesource.com/4044 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2015-03-19 03:37:12 +0300
committer: Adam Langley <agl@google.com> 2015-03-19 14:36:49 +0300
commit: 42574efaff5466104bc04692e48f0900cd1f971a (patch)
tree: a13c2a5e680b33d8a1303267fde5e3dcdae73f2d /crypto/bn/prime.c
parent: cdcecf546b8ea59cd0ac00a53cef7f31c3169480 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/crypto/bn/prime.c b/crypto/bn/prime.c
index 6bdc9217..cf3afcfd 100644
--- a/crypto/bn/prime.c
+++ b/crypto/bn/prime.c
@@ -659,7 +659,13 @@ again:
   /* If bits is so small that it fits into a single word then we
    * additionally don't want to exceed that many bits. */
   if (is_single_word) {
-    BN_ULONG size_limit = (((BN_ULONG)1) << bits) - get_word(rnd) - 1;
+    BN_ULONG size_limit;
+    if (bits == BN_BITS2) {
+      /* Avoid undefined behavior. */
+      size_limit = ~((BN_ULONG)0) - get_word(rnd);
+    } else {
+      size_limit = (((BN_ULONG)1) << bits) - get_word(rnd) - 1;
+    }
     if (size_limit < maxdelta) {
       maxdelta = size_limit;
     }
author	David Benjamin <davidben@chromium.org>	2015-03-19 03:37:12 +0300
committer	Adam Langley <agl@google.com>	2015-03-19 14:36:49 +0300
commit	42574efaff5466104bc04692e48f0900cd1f971a (patch)
tree	a13c2a5e680b33d8a1303267fde5e3dcdae73f2d /crypto/bn/prime.c
parent	cdcecf546b8ea59cd0ac00a53cef7f31c3169480 (diff)