Check for overflows in ASN1_object_size().

Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit e9f17097e9fbba3e7664cd67e54eebf2bd438863)
author: Dr. Stephen Henson <steve@openssl.org> 2016-08-02 00:30:47 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2016-08-02 20:55:06 +0100
commit: 7149c709a24802f044f15e6a8e47d3926a547c2d (patch)
tree: b9186aebf97aff78b3bb8b690ba41d5b9369516f
parent: e3db6f1c43f59eefec2608cef1fb3ca47c81a58f (diff)
1 files changed, 16 insertions, 12 deletions
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 874b1af8b0..8752654103 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -256,26 +256,30 @@ static void asn1_put_length(unsigned char **pp, int length)
 
 int ASN1_object_size(int constructed, int length, int tag)
 {
-    int ret;
-
-    ret = length;
-    ret++;
+    int ret = 1;
+    if (length < 0)
+        return -1;
     if (tag >= 31) {
         while (tag > 0) {
             tag >>= 7;
             ret++;
         }
     }
-    if (constructed == 2)
-        return ret + 3;
-    ret++;
-    if (length > 127) {
-        while (length > 0) {
-            length >>= 8;
-            ret++;
+    if (constructed == 2) {
+        ret += 3;
+    } else {
+        ret++;
+        if (length > 127) {
+            int tmplen = length;
+            while (tmplen > 0) {
+                tmplen >>= 8;
+                ret++;
+            }
         }
     }
-    return (ret);
+    if (ret >= INT_MAX - length)
+        return -1;
+    return ret + length;
 }
 
 static int _asn1_Finish(ASN1_const_CTX *c)
author	Dr. Stephen Henson <steve@openssl.org>	2016-08-02 00:30:47 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2016-08-02 20:55:06 +0100
commit	7149c709a24802f044f15e6a8e47d3926a547c2d (patch)
tree	b9186aebf97aff78b3bb8b690ba41d5b9369516f
parent	e3db6f1c43f59eefec2608cef1fb3ca47c81a58f (diff)