Fix signed integer overflow in evp_enc

Fixes #17869.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17870)

(cherry picked from commit 1832bb0f02e519a48f06a10467c7ce5f7f3feeeb)

2 files changed, 14 insertions, 6 deletions

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 519cab3f2b..0cffa1028c 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -595,7 +595,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                       const unsigned char *in, int inl)
 {
     int ret;
-    size_t soutl;
+    size_t soutl, inl_ = (size_t)inl;
     int blocksize;
 
     if (outl != NULL) {
@@ -625,9 +625,10 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
         return 0;
     }
+
     ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl,
-                               inl + (blocksize == 1 ? 0 : blocksize), in,
-                               (size_t)inl);
+                               inl_ + (size_t)(blocksize == 1 ? 0 : blocksize),
+                               in, inl_);
 
     if (ret) {
         if (soutl > INT_MAX) {
@@ -743,7 +744,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 {
     int fix_len, cmpl = inl, ret;
     unsigned int b;
-    size_t soutl;
+    size_t soutl, inl_ = (size_t)inl;
     int blocksize;
 
     if (outl != NULL) {
@@ -773,8 +774,8 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         return 0;
     }
     ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl,
-                               inl + (blocksize == 1 ? 0 : blocksize), in,
-                               (size_t)inl);
+                               inl_ + (size_t)(blocksize == 1 ? 0 : blocksize),
+                               in, inl_);
 
     if (ret) {
         if (soutl > INT_MAX) {
diff --git a/test/sanitytest.c b/test/sanitytest.c
index b1aadc4aa8..ec850651d2 100644
--- a/test/sanitytest.c
+++ b/test/sanitytest.c
@@ -114,6 +114,13 @@ static int test_sanity_range(void)
         TEST_error("int must not be wider than size_t");
         return 0;
     }
+
+    /* SIZE_MAX is always greater than 2*INT_MAX */
+    if (SIZE_MAX - INT_MAX <= INT_MAX) {
+        TEST_error("SIZE_MAX must exceed 2*INT_MAX");
+        return 0;
+    }
+
     return 1;
 }