[openssl-dev] [openssl.org #4403] [PATCH] prevent OPENSSL_realloc() from clobbering old pointer value on failure in OpenSSL-1.1 pre-4

[Bill Parker via RT]

Hello All,

In reviewing code in directory 'crypto/modes', file 'ocb128.c', there is a
call to OPENSSL_realloc() which has the potential to clobber the old value
of
variable 'ctx->l', if the call returns NULL.

The patch file below uses a void *tmp_ptr to prevent this from occuring:

--- ocb128.c.orig       2016-03-08 16:29:47.856436204 -0800
+++ ocb128.c    2016-03-08 16:31:51.241117763 -0800
@@ -140,6 +140,7 @@
 static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
 {
     size_t l_index = ctx->l_index;
+    void *tmp_ptr;

     if (idx <= l_index) {
         return ctx->l + idx;
@@ -157,10 +158,11 @@
          * the index.
          */
         ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
-        ctx->l =
+        tmp_ptr =
             OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
-        if (ctx->l == NULL)
+        if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
             return NULL;
+       ctx->l = tmp_ptr;
     }
     while (l_index < idx) {
         ocb_double(ctx->l + l_index, ctx->l + l_index + 1);

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4403
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ocb128.c.patch
Type: application/octet-stream
Size: 785 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160309/885b0f0f/attachment.obj>