Make sure max in fmtstr() doesn't overflow into negativity

Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 545c46981089c13774b8da088149316c909484ee..1b70bac71b1d6350dfe3d766026ac6e21a3b407c 100644 (file)
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -390,8 +390,16 @@ fmtstr(char **sbuffer,
     padlen = min - strln;
     if (min < 0 || padlen < 0)
         padlen = 0;
-    if (max >= 0)
-        max += padlen;      /* The maximum output including padding */
+    if (max >= 0) {
+        /*
+         * Calculate the maximum output including padding.
+         * Make sure max doesn't overflow into negativity
+         */
+        if (max < INT_MAX - padlen)
+            max += padlen;
+        else
+            max = INT_MAX;
+    }
     if (flags & DP_F_MINUS)
         padlen = -padlen;