From: Richard Levitte Date: Fri, 31 Mar 2017 19:31:43 +0000 (+0200) Subject: Fix faulty check of padding in x_long.c X-Git-Tag: OpenSSL_1_1_1-pre1~1858 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=79b3452faf04f2572f57eb37b618cc603d9983da;p=oweals%2Fopenssl.git Fix faulty check of padding in x_long.c Bug uncovered by test [extended tests] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/3088) --- diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c index 615d24df08..a7b90231c0 100644 --- a/crypto/asn1/x_long.c +++ b/crypto/asn1/x_long.c @@ -110,7 +110,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, unsigned long utmp = 0; char *cp = (char *)pval; - if (len) { + if (len > 1) { /* * Check possible pad byte. Worst case, we're skipping past actual * content, but since that's only with 0x00 and 0xff and we set neg @@ -120,7 +120,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case 0xff: cont++; len--; - neg = 1; + neg = 0x80; break; case 0: cont++; @@ -139,6 +139,9 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, neg = 1; else neg = 0; + } else if (neg == (cont[0] & 0x80)) { + ASN1err(ASN1_F_LONG_C2I, ASN1_R_ILLEGAL_PADDING); + return 0; } utmp = 0; for (i = 0; i < len; i++) {