Clarify logic in BIO_*printf functions

The static function dynamically allocates an output buffer if the output grows larger than the static buffer that is normally used. The original logic implied that |currlen| could be greater than |maxlen| which is incorrect (and if so would cause a buffer overrun). Also the original logic would call OPENSSL_malloc to create a dynamic buffer equal to the size of the static buffer, and then immediately call OPENSSL_realloc to make it bigger, rather than just creating a buffer than was big enough in the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 9d9e37744cd5119f9921315864d1cd28717173cd)
author: Matt Caswell <matt@openssl.org> 2015-04-27 15:41:03 +0100
committer: Matt Caswell <matt@openssl.org> 2015-04-30 23:26:07 +0100
commit: d889682208e4e75bca78f862b8e509a5b61b01f6 (patch)
tree: 6c6f2bcdf17cc34e57a9392edfcb446771956a3f /crypto
parent: 951ede2a06eba9a71c5d40b25f924e97f443c437 (diff)
1 files changed, 21 insertions, 24 deletions
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 452e5cfd95..7c81e25d48 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -704,32 +704,29 @@ doapr_outch(char **sbuffer,
     /* If we haven't at least one buffer, someone has doe a big booboo */
     assert(*sbuffer != NULL || buffer != NULL);
 
-    if (buffer) {
-        while (*currlen >= *maxlen) {
-            if (*buffer == NULL) {
-                if (*maxlen == 0)
-                    *maxlen = 1024;
-                *buffer = OPENSSL_malloc(*maxlen);
-                if (!*buffer) {
-                    /* Panic! Can't really do anything sensible. Just return */
-                    return;
-                }
-                if (*currlen > 0) {
-                    assert(*sbuffer != NULL);
-                    memcpy(*buffer, *sbuffer, *currlen);
-                }
-                *sbuffer = NULL;
-            } else {
-                *maxlen += 1024;
-                *buffer = OPENSSL_realloc(*buffer, *maxlen);
-                if (!*buffer) {
-                    /* Panic! Can't really do anything sensible. Just return */
-                    return;
-                }
+    /* |currlen| must always be <= |*maxlen| */
+    assert(*currlen <= *maxlen);
+
+    if (buffer && *currlen == *maxlen) {
+        *maxlen += 1024;
+        if (*buffer == NULL) {
+            *buffer = OPENSSL_malloc(*maxlen);
+            if (!*buffer) {
+                /* Panic! Can't really do anything sensible. Just return */
+                return;
+            }
+            if (*currlen > 0) {
+                assert(*sbuffer != NULL);
+                memcpy(*buffer, *sbuffer, *currlen);
+            }
+            *sbuffer = NULL;
+        } else {
+            *buffer = OPENSSL_realloc(*buffer, *maxlen);
+            if (!*buffer) {
+                /* Panic! Can't really do anything sensible. Just return */
+                return;
             }
         }
-        /* What to do if *buffer is NULL? */
-        assert(*sbuffer != NULL || *buffer != NULL);
     }
 
     if (*currlen < *maxlen) {
author	Matt Caswell <matt@openssl.org>	2015-04-27 15:41:03 +0100
committer	Matt Caswell <matt@openssl.org>	2015-04-30 23:26:07 +0100
commit	d889682208e4e75bca78f862b8e509a5b61b01f6 (patch)
tree	6c6f2bcdf17cc34e57a9392edfcb446771956a3f /crypto
parent	951ede2a06eba9a71c5d40b25f924e97f443c437 (diff)