[ntpsec-main commit] Prevent a (probably harmless) scratch buffer overrun in mfp_mul().

[Eric S. Raymond]

Module:    ntpsec-main
Branch:    master
Commit:    4a7959c1f8613994b91cf22e04f71b45f63cda1f
Changeset: http://git.ntpsec.org//commit/?id=4a7959c1f8613994b91cf22e04f71b45f63cda1f

Author:    Eric S. Raymond <esr at thyrsus.com>
Date:      Sun Nov  8 10:27:10 2015 -0500

Prevent a (probably harmless) scratch buffer overrun in mfp_mul().

At the extreme end of the byte-multiplication loop, overflow propagation
(the line c[high_index]++) touched c[5].  Oops!  Harmless, since the
variable following on the stack (carry) isn't set until after, but the
right thing to do is extend the scratch buffer.

---

 libparse/mfp_mul.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libparse/mfp_mul.c b/libparse/mfp_mul.c
index d0c4133..2bb257b 100644
--- a/libparse/mfp_mul.c
+++ b/libparse/mfp_mul.c
@@ -40,7 +40,7 @@ mfp_mul(
   uint32_t  f;
   u_long a[4];			/* operand a */
   u_long b[4];			/* operand b */
-  u_long c[5];			/* result c - 5 items for performance - see below */
+  u_long c[6];			/* result c - 5 items for performance - see below */
   u_long carry;
   
   int neg = 0;
@@ -121,7 +121,7 @@ mfp_mul(
       f = ~(unsigned)0;
     }
   else
-    {				/* take produkt - discarding extra precision */
+    {				/* take product - discarding extra precision */
       i = c[2];
       f = c[1];
     }