From: Dr. Stephen Henson Date: Thu, 4 Aug 2016 12:54:51 +0000 (+0100) Subject: Check for overflows in i2d_ASN1_SET() X-Git-Tag: OpenSSL_1_0_2i~92 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=af601b83198771a4ad54ac0f415964b90aab4b5f;p=oweals%2Fopenssl.git Check for overflows in i2d_ASN1_SET() Thanks to Shi Lei for reporting this issue. Reviewed-by: Rich Salz --- diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c index bf3f971889..5fb5865575 100644 --- a/crypto/asn1/a_set.c +++ b/crypto/asn1/a_set.c @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include @@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, if (a == NULL) return (0); - for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) + for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) { + int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + if (tmplen > INT_MAX - ret) + return -1; ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + } r = ASN1_object_size(1, ret, ex_tag); - if (pp == NULL) + if (pp == NULL || r == -1) return (r); p = *pp;