[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Dr. Stephen Henson steve at openssl.org
Tue Aug 2 19:55:37 UTC 2016 

The branch OpenSSL_1_0_2-stable has been updated
       via  ff8b6b92f44c682ad78f60c32ec154e0bfabebb2 (commit)
       via  b10c10422a9ec4db426be3ef99031f0807d2ded0 (commit)
      from  3dc160e9be6dcaeec9345fbb61b1c427d7026103 (commit)


- Log -----------------------------------------------------------------
commit ff8b6b92f44c682ad78f60c32ec154e0bfabebb2
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Aug 2 00:30:47 2016 +0100

    Check for overflows in ASN1_object_size().
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit e9f17097e9fbba3e7664cd67e54eebf2bd438863)

commit b10c10422a9ec4db426be3ef99031f0807d2ded0
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Aug 2 00:45:31 2016 +0100

    Check for overlows and error return from ASN1_object_size()
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 56f9953c846204cb3251ab27605e403c7444fd72)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/a_object.c |  2 +-
 crypto/asn1/asn1_lib.c | 28 ++++++++++++++++------------
 crypto/asn1/tasn_enc.c | 25 ++++++++++++++++---------
 3 files changed, 33 insertions(+), 22 deletions(-)

diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index 27f9c16..fba9f66 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -73,7 +73,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
         return (0);
 
     objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT);
-    if (pp == NULL)
+    if (pp == NULL || objsize == -1)
         return objsize;
 
     p = *pp;
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 874b1af..8752654 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -256,26 +256,30 @@ static void asn1_put_length(unsigned char **pp, int length)
 
 int ASN1_object_size(int constructed, int length, int tag)
 {
-    int ret;
-
-    ret = length;
-    ret++;
+    int ret = 1;
+    if (length < 0)
+        return -1;
     if (tag >= 31) {
         while (tag > 0) {
             tag >>= 7;
             ret++;
         }
     }
-    if (constructed == 2)
-        return ret + 3;
-    ret++;
-    if (length > 127) {
-        while (length > 0) {
-            length >>= 8;
-            ret++;
+    if (constructed == 2) {
+        ret += 3;
+    } else {
+        ret++;
+        if (length > 127) {
+            int tmplen = length;
+            while (tmplen > 0) {
+                tmplen >>= 8;
+                ret++;
+            }
         }
     }
-    return (ret);
+    if (ret >= INT_MAX - length)
+        return -1;
+    return ret + length;
 }
 
 static int _asn1_Finish(ASN1_const_CTX *c)
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index f7f83e5..255b11e 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -216,17 +216,19 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
         for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
             const ASN1_TEMPLATE *seqtt;
             ASN1_VALUE **pseqval;
+            int tmplen;
             seqtt = asn1_do_adb(pval, tt, 1);
             if (!seqtt)
                 return 0;
             pseqval = asn1_get_field_ptr(pval, seqtt);
-            /* FIXME: check for errors in enhanced version */
-            seqcontlen += asn1_template_ex_i2d(pseqval, NULL, seqtt,
-                                               -1, aclass);
+            tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, aclass);
+            if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen))
+                return -1;
+            seqcontlen += tmplen;
         }
 
         seqlen = ASN1_object_size(ndef, seqcontlen, tag);
-        if (!out)
+        if (!out || seqlen == -1)
             return seqlen;
         /* Output SEQUENCE header */
         ASN1_put_object(out, ndef, seqcontlen, tag, aclass);
@@ -339,19 +341,24 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
         /* Determine total length of items */
         skcontlen = 0;
         for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+            int tmplen;
             skitem = sk_ASN1_VALUE_value(sk, i);
-            skcontlen += ASN1_item_ex_i2d(&skitem, NULL,
-                                          ASN1_ITEM_ptr(tt->item),
-                                          -1, iclass);
+            tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item),
+                                      -1, iclass);
+            if (tmplen == -1 || (skcontlen > INT_MAX - tmplen))
+                return -1;
+            skcontlen += tmplen;
         }
         sklen = ASN1_object_size(ndef, skcontlen, sktag);
+        if (sklen == -1)
+            return -1;
         /* If EXPLICIT need length of surrounding tag */
         if (flags & ASN1_TFLG_EXPTAG)
             ret = ASN1_object_size(ndef, sklen, ttag);
         else
             ret = sklen;
 
-        if (!out)
+        if (!out || ret == -1)
             return ret;
 
         /* Now encode this lot... */
@@ -380,7 +387,7 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
             return 0;
         /* Find length of EXPLICIT tag */
         ret = ASN1_object_size(ndef, i, ttag);
-        if (out) {
+        if (out && ret != -1) {
             /* Output tag and item */
             ASN1_put_object(out, ndef, i, ttag, tclass);
             ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass);

More information about the openssl-commits mailing list