Add more negative checks for integers passed to OPENSSL_malloc().

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14830)
author: Shane Lontis <shane.lontis@oracle.com> 2021-04-12 13:58:14 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2021-04-16 12:10:08 +1000
commit: 42e7d2f10e3658c0c248df8a6edf3c48c477e4b0 (patch)
tree: 1122340c23e67327e2673fd516c5be2dc666e228 /crypto/asn1/a_int.c
parent: 34ed73339602c361d09fe4233d65cef996356239 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 0fc469804d..19e41ec73e 100644
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
     ASN1_INTEGER *ret = NULL;
     const unsigned char *p;
     unsigned char *s;
-    long len;
+    long len = 0;
     int inf, tag, xclass;
     int i;
 
@@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
         goto err;
     }
 
+    if (len < 0) {
+        i = ASN1_R_ILLEGAL_NEGATIVE_VALUE;
+        goto err;
+    }
     /*
      * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
      * a missing NULL parameter.
author	Shane Lontis <shane.lontis@oracle.com>	2021-04-12 13:58:14 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2021-04-16 12:10:08 +1000
commit	42e7d2f10e3658c0c248df8a6edf3c48c477e4b0 (patch)
tree	1122340c23e67327e2673fd516c5be2dc666e228 /crypto/asn1/a_int.c
parent	34ed73339602c361d09fe4233d65cef996356239 (diff)