From: Rich Salz Date: Tue, 21 Feb 2017 18:07:13 +0000 (-0500) Subject: Prevent OOB in SRP base64 code. X-Git-Tag: OpenSSL_1_1_0f~225 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c6a9f005be1cf8e29a0985643b27b9548bcfdee2;p=oweals%2Fopenssl.git Prevent OOB in SRP base64 code. Change size comparison from > (GT) to >= (GTE) to ensure an additional byte of output buffer, to prevent OOB reads/writes later in the function Reject input strings larger than 2GB Detect invalid output buffer size and return early Reviewed-by: Richard Levitte Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2672) (cherry picked from commit ecca16632a73bb80ee27cdec8a97f6def0a4714d) --- diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 188fad27e1..29b7afcb04 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -36,10 +36,13 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) int i, j; int size; + if (alen == 0 || alen > INT_MAX) + return -1; + while (*src && (*src == ' ' || *src == '\t' || *src == '\n')) ++src; size = strlen(src); - if (alen > INT_MAX || size > (int)alen) + if (size < 0 || size >= (int)alen) return -1; i = 0; @@ -77,7 +80,7 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) if (--i < 0) break; } - while (a[j] == 0 && j <= size) + while (j <= size && a[j] == 0) ++j; i = 0; while (j <= size)