diff options
author | Matt Caswell <matt@openssl.org> | 2016-04-25 09:06:29 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-05-03 11:49:12 +0100 |
commit | 3850c2b9d55fb91ea1d9b8228fd8a761d0ba1780 (patch) | |
tree | 116b127e65038f5a056ee0d3b9551f4c6ad71c86 /crypto/evp | |
parent | 172c6e1e14defe7d49d62f5fc9ea6a79b225424f (diff) |
Ensure EVP_EncodeUpdate handles an output length that is too long
With the EVP_EncodeUpdate function it is the caller's responsibility to
determine how big the output buffer should be. The function writes the
amount actually used to |*outl|. However this could go negative with a
sufficiently large value for |inl|. We add a check for this error
condition.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/evp')
-rw-r--r-- | crypto/evp/encode.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index a5d0c653cc..c6c775e0a0 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <limits.h> #include "cryptlib.h" #include <openssl/evp.h> @@ -151,7 +152,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { int i, j; - unsigned int total = 0; + size_t total = 0; *outl = 0; if (inl <= 0) @@ -174,7 +175,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, *out = '\0'; total = j + 1; } - while (inl >= ctx->length) { + while (inl >= ctx->length && total <= INT_MAX) { j = EVP_EncodeBlock(out, in, ctx->length); in += ctx->length; inl -= ctx->length; @@ -183,6 +184,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, *out = '\0'; total += j + 1; } + if (total > INT_MAX) { + /* Too much output data! */ + *outl = 0; + return; + } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; |