Add more negative checks for integers passed to OPENSSL_malloc().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14830)

7 files changed, 17 insertions, 2 deletions

diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c
index bdefa448ec..263c8a0c5e 100644
--- a/crypto/asn1/a_dup.c
+++ b/crypto/asn1/a_dup.c
@@ -24,6 +24,9 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x)
         return NULL;
 
     i = i2d(x, NULL);
+    if (i <= 0)
+        return NULL;
+
     b = OPENSSL_malloc(i + 10);
     if (b == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 0fc469804d..19e41ec73e 100644
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
     ASN1_INTEGER *ret = NULL;
     const unsigned char *p;
     unsigned char *s;
-    long len;
+    long len = 0;
     int inf, tag, xclass;
     int i;
 
@@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
         goto err;
     }
 
+    if (len < 0) {
+        i = ASN1_R_ILLEGAL_NEGATIVE_VALUE;
+        goto err;
+    }
     /*
      * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
      * a missing NULL parameter.
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 208a383af2..22dea873ee 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -55,6 +55,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
         len = strlen((const char *)in);
     if (!mask)
         mask = DIRSTRING_TYPE;
+    if (len < 0)
+        return -1;
 
     /* First do a string check and work out the number of characters */
     switch (inform) {
diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c
index dc99e2d7c2..19af059a2c 100644
--- a/crypto/asn1/bio_asn1.c
+++ b/crypto/asn1/bio_asn1.c
@@ -118,7 +118,7 @@ static int asn1_bio_new(BIO *b)
 
 static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size)
 {
-    if ((ctx->buf = OPENSSL_malloc(size)) == NULL) {
+    if (size <= 0 || (ctx->buf = OPENSSL_malloc(size)) == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;
     }
diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c
index b6388cd12f..fb43044822 100644
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -44,6 +44,8 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
     }
     if (!saltlen)
         saltlen = PKCS5_SALT_LEN;
+    if (saltlen < 0)
+        goto err;
 
     sstr = OPENSSL_malloc(saltlen);
     if (sstr == NULL) {
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 738e3a0d10..1049f01905 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -160,6 +160,8 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
     kdf->salt->value.octet_string = osalt;
     kdf->salt->type = V_ASN1_OCTET_STRING;
 
+    if (saltlen < 0)
+        goto merr;
     if (saltlen == 0)
         saltlen = PKCS5_SALT_LEN;
     if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL)
diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c
index 12a6b15999..28a4b23aa4 100644
--- a/crypto/asn1/tasn_utl.c
+++ b/crypto/asn1/tasn_utl.c
@@ -168,6 +168,8 @@ int ossl_asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
         return 1;
 
     OPENSSL_free(enc->enc);
+    if (inlen <= 0)
+        return 0;
     if ((enc->enc = OPENSSL_malloc(inlen)) == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;