diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2016-08-02 00:30:47 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2016-08-02 13:40:32 +0100 |
| commit | e9f17097e9fbba3e7664cd67e54eebf2bd438863 (patch) | |
| tree | 99e58aa5d5289b63c6174a0fd9b34b61cf0c1380 /crypto | |
| parent | f37c159aed4bca0b7d3ea4657c450826850c8e75 (diff) | |
| download | openssl-e9f17097e9fbba3e7664cd67e54eebf2bd438863.zip openssl-e9f17097e9fbba3e7664cd67e54eebf2bd438863.tar.gz openssl-e9f17097e9fbba3e7664cd67e54eebf2bd438863.tar.bz2 | |
Check for overflows in ASN1_object_size().
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asn1/asn1_lib.c | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 92604ea..1b52107 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -206,26 +206,30 @@ static void asn1_put_length(unsigned char **pp, int length) int ASN1_object_size(int constructed, int length, int tag) { - int ret; - - ret = length; - ret++; + int ret = 1; + if (length < 0) + return -1; if (tag >= 31) { while (tag > 0) { tag >>= 7; ret++; } } - if (constructed == 2) - return ret + 3; - ret++; - if (length > 127) { - while (length > 0) { - length >>= 8; - ret++; + if (constructed == 2) { + ret += 3; + } else { + ret++; + if (length > 127) { + int tmplen = length; + while (tmplen > 0) { + tmplen >>= 8; + ret++; + } } } - return (ret); + if (ret >= INT_MAX - length) + return -1; + return ret + length; } int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str) |