The branch OpenSSL_1_0_1-stable has been updated via 6592de7c8c090bbb7ec82bad07b3249153bb692f (commit) from 5db2a579b72b94aa0dacb08530768a1a5759237d (commit)
- Log ----------------------------------------------------------------- commit 6592de7c8c090bbb7ec82bad07b3249153bb692f Author: Dr. Stephen Henson <st...@openssl.org> Date: Thu Aug 4 13:54:51 2016 +0100 Check for overflows in i2d_ASN1_SET() Thanks to Shi Lei for reporting this issue. Reviewed-by: Rich Salz <rs...@openssl.org> (cherry picked from commit af601b83198771a4ad54ac0f415964b90aab4b5f) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_set.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c index bf3f971..5fb5865 100644 --- a/crypto/asn1/a_set.c +++ b/crypto/asn1/a_set.c @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <limits.h> #include "cryptlib.h" #include <openssl/asn1_mac.h> @@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, if (a == NULL) return (0); - for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) + for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) { + int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + if (tmplen > INT_MAX - ret) + return -1; ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + } r = ASN1_object_size(1, ret, ex_tag); - if (pp == NULL) + if (pp == NULL || r == -1) return (r); p = *pp; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits