Check for errors in BN_bn2dec()

If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

(Imported from upstream's e36f27ddb80a48e579783bc29fb3758988342b71.)

Change-Id: Ib9078921b4460952c4aa5a6b03ec39a03704bb90
Reviewed-on: https://boringssl-review.googlesource.com/10367
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>

crypto/bn/convert.c

@@ -375,6 +375,7 @@ char *BN_bn2dec(const BIGNUM *a) {
   char *p;
   BIGNUM *t = NULL;
   BN_ULONG *bn_data = NULL, *lp;
+  int bn_data_num;
 
   /* get an upper bound for the length of the decimal integer
    * num <= (BN_num_bits(a) + 1) * log(2)
@@ -383,7 +384,8 @@ char *BN_bn2dec(const BIGNUM *a) {
    */
   i = BN_num_bits(a) * 3;
   num = i / 10 + i / 1000 + 1 + 1;
-  bn_data = OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+  bn_data_num = num / BN_DEC_NUM + 1;
+  bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
   buf = OPENSSL_malloc(num + 3);
   if ((buf == NULL) || (bn_data == NULL)) {
     OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
@@ -408,7 +410,13 @@ char *BN_bn2dec(const BIGNUM *a) {
   } else {
     while (!BN_is_zero(t)) {
       *lp = BN_div_word(t, BN_DEC_CONV);
+      if (*lp == (BN_ULONG)-1) {
+        goto err;
+      }
       lp++;
+      if (lp - bn_data >= bn_data_num) {
+        goto err;
+      }
     }
     lp--;
     /* We now have a series of blocks, BN_DEC_NUM chars