Check for overflows in i2d_ASN1_SET()

Thanks to Shi Lei for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit af601b83198771a4ad54ac0f415964b90aab4b5f)
author: Dr. Stephen Henson <steve@openssl.org> 2016-08-04 13:54:51 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2016-08-04 17:43:57 +0100
commit: 6592de7c8c090bbb7ec82bad07b3249153bb692f (patch)
tree: e3efd1928ccab422eb6ebccbbb5cb1e04c776add
parent: 5db2a579b72b94aa0dacb08530768a1a5759237d (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c
index bf3f971889..5fb5865575 100644
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include "cryptlib.h"
 #include <openssl/asn1_mac.h>
 
@@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
 
     if (a == NULL)
         return (0);
-    for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--)
+    for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) {
+        int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL);
+        if (tmplen > INT_MAX - ret)
+            return -1;
         ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL);
+    }
     r = ASN1_object_size(1, ret, ex_tag);
-    if (pp == NULL)
+    if (pp == NULL || r == -1)
         return (r);
 
     p = *pp;
author	Dr. Stephen Henson <steve@openssl.org>	2016-08-04 13:54:51 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2016-08-04 17:43:57 +0100
commit	6592de7c8c090bbb7ec82bad07b3249153bb692f (patch)
tree	e3efd1928ccab422eb6ebccbbb5cb1e04c776add
parent	5db2a579b72b94aa0dacb08530768a1a5759237d (diff)