diff options
author | Pauli <paul.dale@oracle.com> | 2020-04-06 09:23:00 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-04-08 09:21:58 +1000 |
commit | 163897267fab6d29dff1a4bf8247f8e02e158be8 (patch) | |
tree | a13bd8d3b4075a979c4e2853cde101e04b6ea47d /crypto/asn1 | |
parent | 43c242b0f687fc48c57ae3d721960db28e079ef6 (diff) |
Integer overflow in ASN1_STRING_set.
Addressing a potential integer overflow condition.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11473)
(cherry picked from commit 96218269f4c2da82f143727fb7697d572c190bc5)
Diffstat (limited to 'crypto/asn1')
-rw-r--r-- | crypto/asn1/asn1_lib.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index a7d32ae5e2..5cd0e16b52 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -268,18 +268,29 @@ ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str) return ret; } -int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) +int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in) { unsigned char *c; const char *data = _data; + size_t len; - if (len < 0) { + if (len_in < 0) { if (data == NULL) return 0; - else - len = strlen(data); + len = strlen(data); + } else { + len = (size_t)len_in; + } + /* + * Verify that the length fits within an integer for assignment to + * str->length below. The additional 1 is subtracted to allow for the + * '\0' terminator even though this isn't strictly necessary. + */ + if (len > INT_MAX - 1) { + ASN1err(0, ASN1_R_TOO_LARGE); + return 0; } - if ((str->length <= len) || (str->data == NULL)) { + if ((size_t)str->length <= len || str->data == NULL) { c = str->data; str->data = OPENSSL_realloc(c, len + 1); if (str->data == NULL) { |