From d93f33824888053ea935318556be402e286ab715 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 16 Mar 2022 14:57:24 +1100
Subject: Fix Coverity 1503096: out-of-bounds access

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/17898)

(cherry picked from commit d1592f21c0d4c2c94a8c6004cf7b5cad2dcb2637)
---
 crypto/evp/evp_enc.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'crypto')

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index d0cf7d995f..19a07debd9 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -344,8 +344,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
 
         case EVP_CIPH_CBC_MODE:
             n = EVP_CIPHER_CTX_get_iv_length(ctx);
-            if (!ossl_assert(n >= 0 && n <= (int)sizeof(ctx->iv)))
-                    return 0;
+            if (n < 0 || n > (int)sizeof(ctx->iv)) {
+                ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
+                return 0;
+            }
             if (iv != NULL)
                 memcpy(ctx->oiv, iv, n);
             memcpy(ctx->iv, ctx->oiv, n);
@@ -355,8 +357,11 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
             ctx->num = 0;
             /* Don't reuse IV for CTR mode */
             if (iv != NULL) {
-                if ((n = EVP_CIPHER_CTX_get_iv_length(ctx)) <= 0)
+                n = EVP_CIPHER_CTX_get_iv_length(ctx);
+                if (n <= 0 || n > (int)sizeof(ctx->iv)) {
+                    ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
                     return 0;
+                }
                 memcpy(ctx->iv, iv, n);
             }
             break;
-- 
cgit v1.2.3