From fbba62f6c9671b151df648f06afdf6af14518ab4 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Oct 2016 15:21:55 +0100
Subject: [PATCH] Add some sanity checks for BIO_read* and BIO_gets

Make sure the return value isn't bigger than the buffer len

Reviewed-by: Richard Levitte <levitte@openssl.org>
---
 crypto/bio/bio_lib.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c
index 1a9b9137ba..b8673adce0 100644
--- a/crypto/bio/bio_lib.c
+++ b/crypto/bio/bio_lib.c
@@ -278,6 +278,10 @@ static int bio_read_intern(BIO *b, void *data, size_t datal, size_t *read)
         ret = (int)bio_call_callback(b, BIO_CB_READ | BIO_CB_RETURN, data,
                                      datal, 0, 0L, ret, read);
 
+    /* Shouldn't happen */
+    if (ret > 0 && *read > datal)
+        return -1;
+
     return ret;
 }
 
@@ -433,6 +437,11 @@ int BIO_gets(BIO *b, char *out, int outl)
         return (-2);
     }
 
+    if (outl < 0) {
+        BIOerr(BIO_F_BIO_GETS, BIO_R_INVALID_ARGUMENT);
+        return 0;
+    }
+
     if (b->callback != NULL || b->callback_ex != NULL) {
         ret = (int)bio_call_callback(b, BIO_CB_GETS, out, outl, 0, 0L, 1, NULL);
         if (ret <= 0)
@@ -456,7 +465,8 @@ int BIO_gets(BIO *b, char *out, int outl)
                                      0, 0L, ret, &read);
 
     if (ret > 0) {
-        if (read > INT_MAX)
+        /* Shouldn't happen */
+        if (read > (size_t)outl)
             ret = -1;
         else
             ret = (int)read;
-- 
2.25.1