[openssl-dev] [openssl.org #4585] some bugs in ver.1.0.2d (fix)

[石磊 via RT]

Hi,

Recently, I found some bugs in ver.1.0.2d.

DESCRIPTION

_____

1. Line 122 in a_enum.c: return (0xffffffffL);
I think it should be "return -1;".


2. Line 149 in a_enum.c: if (BN_is_negative(bn))
I think it should be "if (BN_is_negative(bn) && !BN_is_zero(bn))".


3. Line 161 and line 164 in f_string.c:
sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + i * 2);
sp = (unsigned char *)OPENSSL_realloc(s, (unsigned int)num + i * 2);

Allocation "num + i" is enough.


4. Function a2i_ASN1_STRING in f_string.c.
The processing of the contents containing "\\" is not correct.


5. Function a2i_ASN1_STRING in f_string.c.
There is a memory leak when the content like "1234567\\\r\n890".


6. Line 155 and line 158 in f_enum.c:
sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + i * 2);
sp = (unsigned char *)OPENSSL_realloc(s, (unsigned int)num + i * 2);

Allocation "num + i" is enough.


7. Function a2i_ASN1_ENUMERATED in f_enum.c.
The processing of the contents containing "\\" is not correct.


8. Function a2i_ASN1_ENUMERATED in f_enum.c.
There is a memory leak when the content like "1234567\\\r\n890".


9. Line 169 and line 172 in f_int.c:
sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + i * 2);
sp = sp = OPENSSL_realloc_clean(s, slen, num + i * 2);

Allocation "num + i" is enough.


10. Function a2i_ASN1_INTEGER in f_int.c.
The processing of the contents containing "\\" is not correct.


11. Function a2i_ASN1_INTEGER in f_int.c.
There is a memory leak when the content like "1234567\\\r\n890".


12. Line 226 in t1_ext.c:
exts->meths = OPENSSL_realloc(exts->meths, (exts->meths_count + 1) * sizeof(custom_ext_method));

There's a risk of memory leaks.


13. Line 896 in ssl_rsa.c:
ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, serverinfo_length);

There's a risk of memory leaks.


14. Line 979 in ssl_rsa.c:
serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);

There's a risk of memory leaks.


15. Line 366 in openbsd_hw.c:
md_data->data = OPENSSL_realloc(md_data->data, md_data->len + len);

There's a risk of memory leaks.


16. Line 812 in eng_cryptodev.c:
state->mac_data = OPENSSL_realloc(state->mac_data, state->mac_len + count);

There's a risk of memory leaks.


17. Line 899 in b_sock.c: p = OPENSSL_realloc(p, nl);
There's a risk of memory leaks.


18. Line 724 in b_print.c: *buffer = OPENSSL_realloc(*buffer, *maxlen);
There's a risk of memory leaks.


19. Line 117 in engine.c: *buf = OPENSSL_realloc(*buf, *size);
There's a risk of memory leaks.



Thanks,

Shi Lei / Qihoo 360 Inc.




-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4585
Please log in as guest with password guest if prompted