Reject decoding of an INT64 with a value >INT64_MAX

Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3159)
author: Matt Caswell <matt@openssl.org> 2017-04-10 17:33:29 +0100
committer: Matt Caswell <matt@openssl.org> 2017-04-11 15:29:42 +0100
commit: 0856e3f167964f58c26796331eab9d8b0a883921 (patch)
tree: 62eb11a4c6e626a5e82fbbda7bcd4f162dae102e /crypto/asn1
parent: 745dec3aed750d681a81a049152edbb57c1f8c2d (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/crypto/asn1/x_int64.c b/crypto/asn1/x_int64.c
index 9da692ca6f..33e4061699 100644
--- a/crypto/asn1/x_int64.c
+++ b/crypto/asn1/x_int64.c
@@ -71,6 +71,11 @@ static int uint64_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
         ASN1err(ASN1_F_UINT64_C2I, ASN1_R_ILLEGAL_NEGATIVE_VALUE);
         return 0;
     }
+    if ((it->size & INTxx_FLAG_SIGNED) == INTxx_FLAG_SIGNED
+            && !neg && utmp > INT64_MAX) {
+        ASN1err(ASN1_F_UINT64_C2I, ASN1_R_TOO_LARGE);
+        return 0;
+    }
     memcpy(cp, &utmp, sizeof(utmp));
     return 1;
 }
author	Matt Caswell <matt@openssl.org>	2017-04-10 17:33:29 +0100
committer	Matt Caswell <matt@openssl.org>	2017-04-11 15:29:42 +0100
commit	0856e3f167964f58c26796331eab9d8b0a883921 (patch)
tree	62eb11a4c6e626a5e82fbbda7bcd4f162dae102e /crypto/asn1
parent	745dec3aed750d681a81a049152edbb57c1f8c2d (diff)