From 79b3452faf04f2572f57eb37b618cc603d9983da Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 31 Mar 2017 21:31:43 +0200 Subject: [PATCH] Fix faulty check of padding in x_long.c Bug uncovered by test [extended tests] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/3088) --- crypto/asn1/x_long.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c index 615d24df08..a7b90231c0 100644 --- a/crypto/asn1/x_long.c +++ b/crypto/asn1/x_long.c @@ -110,7 +110,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, unsigned long utmp = 0; char *cp = (char *)pval; - if (len) { + if (len > 1) { /* * Check possible pad byte. Worst case, we're skipping past actual * content, but since that's only with 0x00 and 0xff and we set neg @@ -120,7 +120,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case 0xff: cont++; len--; - neg = 1; + neg = 0x80; break; case 0: cont++; @@ -139,6 +139,9 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, neg = 1; else neg = 0; + } else if (neg == (cont[0] & 0x80)) { + ASN1err(ASN1_F_LONG_C2I, ASN1_R_ILLEGAL_PADDING); + return 0; } utmp = 0; for (i = 0; i < len; i++) { -- 2.25.1