From 9d09fc8485479a38c37a1de1378a0ded22492f7e Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Thu, 3 Feb 2011 12:04:48 +0000
Subject: [PATCH] Assorted bugfixes: - RLE decompression boundary case - SSL
 2.0 key arg length check

Submitted by: Google (Neel Mehta, Bodo Moeller)
---
 crypto/comp/c_rle.c | 3 +--
 ssl/s2_srvr.c       | 5 +++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/comp/c_rle.c b/crypto/comp/c_rle.c
index efd366fa22..18bceae51e 100644
--- a/crypto/comp/c_rle.c
+++ b/crypto/comp/c_rle.c
@@ -46,7 +46,7 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
 	{
 	int i;
 
-	if (olen < (ilen-1))
+	if (ilen == 0 || olen < (ilen-1))
 		{
 		/* ZZZZZZZZZZZZZZZZZZZZZZ */
 		return(-1);
@@ -59,4 +59,3 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
 		}
 	return(ilen-1);
 	}
-
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index eeffe25492..c87d84499e 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -403,13 +403,14 @@ static int get_client_master_key(SSL *s)
 		p+=3;
 		n2s(p,i); s->s2->tmp.clear=i;
 		n2s(p,i); s->s2->tmp.enc=i;
-		n2s(p,i); s->session->key_arg_length=i;
-		if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
+		n2s(p,i);
+		if(i > SSL_MAX_KEY_ARG_LENGTH)
 			{
 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
 			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
 			return -1;
 			}
+		s->session->key_arg_length=i;
 		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
 		}
 
-- 
2.25.1