From e9f17097e9fbba3e7664cd67e54eebf2bd438863 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 2 Aug 2016 00:30:47 +0100 Subject: [PATCH] Check for overflows in ASN1_object_size(). Reviewed-by: Richard Levitte --- crypto/asn1/asn1_lib.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 92604ead86..1b521077a9 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -206,26 +206,30 @@ static void asn1_put_length(unsigned char **pp, int length) int ASN1_object_size(int constructed, int length, int tag) { - int ret; - - ret = length; - ret++; + int ret = 1; + if (length < 0) + return -1; if (tag >= 31) { while (tag > 0) { tag >>= 7; ret++; } } - if (constructed == 2) - return ret + 3; - ret++; - if (length > 127) { - while (length > 0) { - length >>= 8; - ret++; + if (constructed == 2) { + ret += 3; + } else { + ret++; + if (length > 127) { + int tmplen = length; + while (tmplen > 0) { + tmplen >>= 8; + ret++; + } } } - return (ret); + if (ret >= INT_MAX - length) + return -1; + return ret + length; } int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str) -- 2.25.1