Fix undefined behaviour in EC_GROUP_new_from_ecparameters

This happens for instance with fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a and causes the OPENSSL_malloc below to choke on the zero length allocation request. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18363)
author: Bernd Edlinger <bernd.edlinger@hotmail.de> 2022-05-20 16:54:41 +0200
committer: Bernd Edlinger <bernd.edlinger@hotmail.de> 2022-05-24 11:47:37 +0200
commit: e4b84b7514e5cbcbfc80e31b4ce609c7584e14bb (patch)
tree: 5a666101d6a8cbacbd3841656620f3c84315919e /crypto
parent: 8e1ece20cdb4a584be5311370256c4e813c09826 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 4335b3da1a..ad9a54dc50 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -751,6 +751,16 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
 
     /* extract seed (optional) */
     if (params->curve->seed != NULL) {
+        /*
+         * This happens for instance with
+         * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a
+         * and causes the OPENSSL_malloc below to choke on the
+         * zero length allocation request.
+         */
+        if (params->curve->seed->length == 0) {
+            ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
+            goto err;
+        }
         OPENSSL_free(ret->seed);
         if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) {
             ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
author	Bernd Edlinger <bernd.edlinger@hotmail.de>	2022-05-20 16:54:41 +0200
committer	Bernd Edlinger <bernd.edlinger@hotmail.de>	2022-05-24 11:47:37 +0200
commit	e4b84b7514e5cbcbfc80e31b4ce609c7584e14bb (patch)
tree	5a666101d6a8cbacbd3841656620f3c84315919e /crypto
parent	8e1ece20cdb4a584be5311370256c4e813c09826 (diff)