From 2bd5d70ce5943e0085c1f886ed8ea4c34ca0f133 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 25 Apr 2016 09:06:29 +0100 Subject: [PATCH] Ensure EVP_EncodeUpdate handles an output length that is too long With the EVP_EncodeUpdate function it is the caller's responsibility to determine how big the output buffer should be. The function writes the amount actually used to |*outl|. However this could go negative with a sufficiently large value for |inl|. We add a check for this error condition. Reviewed-by: Richard Levitte --- crypto/evp/encode.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index 6f862fa2dd..ee105434b5 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -56,6 +56,7 @@ */ #include +#include #include "internal/cryptlib.h" #include #include "evp_locl.h" @@ -165,7 +166,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { int i, j; - unsigned int total = 0; + size_t total = 0; *outl = 0; if (inl <= 0) @@ -188,7 +189,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, *out = '\0'; total = j + 1; } - while (inl >= ctx->length) { + while (inl >= ctx->length && total <= INT_MAX) { j = EVP_EncodeBlock(out, in, ctx->length); in += ctx->length; inl -= ctx->length; @@ -197,6 +198,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, *out = '\0'; total += j + 1; } + if (total > INT_MAX) { + /* Too much output data! */ + *outl = 0; + return; + } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; -- 2.25.1