From: Matt Caswell <matt@openssl.org>
Date: Mon, 27 Mar 2017 15:11:11 +0000 (+0100)
Subject: Fix a possible integer overflow in long_c2i
X-Git-Tag: OpenSSL_1_1_1-pre1~1859
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=8ac6a53100bd6730a8824968ec25dccc727c29c9;p=oweals%2Fopenssl.git

Fix a possible integer overflow in long_c2i

Credit to OSS-Fuzz for finding this.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3088)
---

diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c
index 233725f8ff..615d24df08 100644
--- a/crypto/asn1/x_long.c
+++ b/crypto/asn1/x_long.c
@@ -149,6 +149,10 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
             utmp |= cont[i];
     }
     ltmp = (long)utmp;
+    if (ltmp < 0) {
+        ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+        return 0;
+    }
     if (neg) {
         ltmp = -ltmp;
         ltmp--;