Fix the heap corruption in libeay32!OBJ_add_object.
authorGunnar Kudrjavets <gunnarku@microsoft.com>
Tue, 12 May 2015 22:44:45 +0000 (15:44 -0700)
committerMatt Caswell <matt@openssl.org>
Wed, 13 May 2015 08:23:23 +0000 (09:23 +0100)
commit56d88027f026afd97ddf4e501f98437ca9819bfb
tree3e29209d9c20c1e17fbbd947773db1c5d1c58ce5
parent6b43bbf09c6f31f2b6c66a5e8ef3b668036fbfeb
Fix the heap corruption in libeay32!OBJ_add_object.

Original 'sizeof(ADDED_OBJ)' was replaced with 'sizeof(*ao)'. However,
they return different sizes. Therefore as the result heap gets corrupted
and at some point later debug version of malloc() detects the corruption.

On x86 we can observe that as follows:

sizeof(*ao) == 4
sizeof(*ao[0]) == sizeof(ADDED_OBJ) == 8

Issue reproduces with either enabling CRT debug heap or Application
Verifier's full-page heap.

Basic debugging data from the moment the corruption is first detected:

0:000:x86> |
.  0    id: 283c        create  name: openssl.exe
0:000:x86> kcn
 #
00 MSVCR120D!_heap_alloc_dbg_impl
01 MSVCR120D!_nh_malloc_dbg_impl
02 MSVCR120D!_nh_malloc_dbg
03 MSVCR120D!malloc
04 LIBEAY32!default_malloc_ex
05 LIBEAY32!CRYPTO_malloc
06 LIBEAY32!lh_insert
07 LIBEAY32!OBJ_add_object
08 LIBEAY32!OBJ_create
09 openssl!add_oid_section
0a openssl!req_main
0b openssl!do_cmd
0c openssl!main
0d openssl!__tmainCRTStartup
0e openssl!mainCRTStartup
0f KERNEL32!BaseThreadInitThunk
10 ntdll_77d60000!__RtlUserThreadStart
11 ntdll_77d60000!_RtlUserThreadStart

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
crypto/objects/obj_dat.c