Fix overflow in c2i_ASN1_BIT_STRING.
authorDavid Benjamin <davidben@google.com>
Mon, 18 Sep 2017 19:58:41 +0000 (15:58 -0400)
committerAndy Polyakov <appro@openssl.org>
Tue, 19 Sep 2017 19:33:57 +0000 (21:33 +0200)
commit859a42531acf2c3547711f642bcfd7fd52eb2338
treef79cb974ed51d3b2d60a1313d28c11c23407269c
parent772fc32bab589f8e0d54eb9777e51819412d80e6
Fix overflow in c2i_ASN1_BIT_STRING.

c2i_ASN1_BIT_STRING takes length as a long but uses it as an int.  Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)

(cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950)
crypto/asn1/a_bitstr.c