Fix undefined behaviour when printing the X509 and CRL version

Found by oss-fuzz

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2231

2 files changed, 11 insertions, 3 deletions

diff --git a/crypto/x509/t_crl.c b/crypto/x509/t_crl.c
index de0320d075..f3ca6db8e5 100644
--- a/crypto/x509/t_crl.c
+++ b/crypto/x509/t_crl.c
@@ -44,7 +44,10 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
 
     BIO_printf(out, "Certificate Revocation List (CRL):\n");
     l = X509_CRL_get_version(x);
-    BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l + 1, l);
+    if (l >= 0 && l <= 1)
+        BIO_printf(out, "%8sVersion %ld (0x%lx)\n", "", l + 1, (unsigned long)l);
+    else
+        BIO_printf(out, "%8sVersion unknown (%ld)\n", "", l);
     X509_CRL_get0_signature(x, &sig, &sig_alg);
     X509_signature_print(out, sig_alg, NULL);
     p = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0);
diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c
index 0fced677dd..77ce810835 100644
--- a/crypto/x509/t_req.c
+++ b/crypto/x509/t_req.c
@@ -60,8 +60,13 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
     }
     if (!(cflag & X509_FLAG_NO_VERSION)) {
         l = X509_REQ_get_version(x);
-        if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, l) <= 0)
-            goto err;
+        if (l >= 0 && l <= 2) {
+            if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0)
+                goto err;
+        } else {
+            if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0)
+                goto err;
+        }
     }
     if (!(cflag & X509_FLAG_NO_SUBJECT)) {
         if (BIO_printf(bp, "        Subject:%c", mlch) <= 0)