Assorted bugfixes:

- RLE decompression boundary case
- SSL 2.0 key arg length check

Submitted by: Google (Neel Mehta, Bodo Moeller)

diff --git a/crypto/comp/c_rle.c b/crypto/comp/c_rle.c
index efd366fa2239aa08594f50c3d3fe4a266164be55..18bceae51e76f33edfc18e90cfe0e3c68e06e51a 100644 (file)
--- a/crypto/comp/c_rle.c
+++ b/crypto/comp/c_rle.c
@@ -46,7 +46,7 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
        {
        int i;
 
-       if (olen < (ilen-1))
+       if (ilen == 0 || olen < (ilen-1))
                {
                /* ZZZZZZZZZZZZZZZZZZZZZZ */
                return(-1);
@@ -59,4 +59,3 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
                }
        return(ilen-1);
        }
-

diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index eeffe2549248b071e04aef0054bb49b320627bfc..c87d84499e76f323de205beea39fab362ad04e47 100644 (file)
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -403,13 +403,14 @@ static int get_client_master_key(SSL *s)
                p+=3;
                n2s(p,i); s->s2->tmp.clear=i;
                n2s(p,i); s->s2->tmp.enc=i;
-               n2s(p,i); s->session->key_arg_length=i;
-               if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
+               n2s(p,i);
+               if(i > SSL_MAX_KEY_ARG_LENGTH)
                        {
                        ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
                        SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
                        return -1;
                        }
+               s->session->key_arg_length=i;
                s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
                }