diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-08-04 13:54:51 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-08-04 17:43:57 +0100 |
commit | 6592de7c8c090bbb7ec82bad07b3249153bb692f (patch) | |
tree | e3efd1928ccab422eb6ebccbbb5cb1e04c776add | |
parent | 5db2a579b72b94aa0dacb08530768a1a5759237d (diff) |
Check for overflows in i2d_ASN1_SET()
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit af601b83198771a4ad54ac0f415964b90aab4b5f)
-rw-r--r-- | crypto/asn1/a_set.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c index bf3f971889..5fb5865575 100644 --- a/crypto/asn1/a_set.c +++ b/crypto/asn1/a_set.c @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <limits.h> #include "cryptlib.h" #include <openssl/asn1_mac.h> @@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, if (a == NULL) return (0); - for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) + for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) { + int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + if (tmplen > INT_MAX - ret) + return -1; ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + } r = ASN1_object_size(1, ret, ex_tag); - if (pp == NULL) + if (pp == NULL || r == -1) return (r); p = *pp; |