diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-08-02 00:30:47 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-08-02 20:55:06 +0100 |
commit | 7149c709a24802f044f15e6a8e47d3926a547c2d (patch) | |
tree | b9186aebf97aff78b3bb8b690ba41d5b9369516f | |
parent | e3db6f1c43f59eefec2608cef1fb3ca47c81a58f (diff) |
Check for overflows in ASN1_object_size().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e9f17097e9fbba3e7664cd67e54eebf2bd438863)
-rw-r--r-- | crypto/asn1/asn1_lib.c | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 874b1af8b0..8752654103 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -256,26 +256,30 @@ static void asn1_put_length(unsigned char **pp, int length) int ASN1_object_size(int constructed, int length, int tag) { - int ret; - - ret = length; - ret++; + int ret = 1; + if (length < 0) + return -1; if (tag >= 31) { while (tag > 0) { tag >>= 7; ret++; } } - if (constructed == 2) - return ret + 3; - ret++; - if (length > 127) { - while (length > 0) { - length >>= 8; - ret++; + if (constructed == 2) { + ret += 3; + } else { + ret++; + if (length > 127) { + int tmplen = length; + while (tmplen > 0) { + tmplen >>= 8; + ret++; + } } } - return (ret); + if (ret >= INT_MAX - length) + return -1; + return ret + length; } static int _asn1_Finish(ASN1_const_CTX *c) |