From 6592de7c8c090bbb7ec82bad07b3249153bb692f Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 4 Aug 2016 13:54:51 +0100 Subject: [PATCH] Check for overflows in i2d_ASN1_SET() Thanks to Shi Lei for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit af601b83198771a4ad54ac0f415964b90aab4b5f) --- crypto/asn1/a_set.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c index bf3f971889..5fb5865575 100644 --- a/crypto/asn1/a_set.c +++ b/crypto/asn1/a_set.c @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include @@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, if (a == NULL) return (0); - for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) + for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) { + int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + if (tmplen > INT_MAX - ret) + return -1; ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + } r = ASN1_object_size(1, ret, ex_tag); - if (pp == NULL) + if (pp == NULL || r == -1) return (r); p = *pp; -- 2.25.1