From 8b6277538350008a19f8015895972a5edf13da11 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 27 Mar 2017 16:11:11 +0100
Subject: Fix a possible integer overflow in long_c2i

Credit to OSS-Fuzz for finding this.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3120)
---
 crypto/asn1/x_long.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'crypto/asn1')

diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c
index 233725f8ff..615d24df08 100644
--- a/crypto/asn1/x_long.c
+++ b/crypto/asn1/x_long.c
@@ -149,6 +149,10 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
             utmp |= cont[i];
     }
     ltmp = (long)utmp;
+    if (ltmp < 0) {
+        ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+        return 0;
+    }
     if (neg) {
         ltmp = -ltmp;
         ltmp--;
-- 
cgit v1.2.3