Hi,
Coverity run has uncovered two bugs.
tasn_new.c:
'it' could be NULL -- potential NULL dereference
srp_vfy.c:
if t_fromb64() is passed an invalidly encoded base64 input (1st byte of
"src" isn't base64), then we may access uninitialized element of array
"a".
Potential fixes, diff'ed against latest snapshot
(openssl-1.0.2-stable-SNAP-20120925.tar.gz) are attached.
Thanks
--- crypto/srp/srp_vfy.c.orig 2012-06-03 16:00:24.000000000 -0700
+++ crypto/srp/srp_vfy.c 2012-09-25 11:24:36.000000000 -0700
@@ -93,6 +93,10 @@ static int t_fromb64(unsigned char *a, c
else a[i] = loc - b64table;
++i;
}
+ if (i == 0)
+ {
+ goto exit;
+ }
size = i;
i = size - 1;
j = size;
@@ -116,6 +120,7 @@ static int t_fromb64(unsigned char *a, c
while(a[j] == 0 && j <= size) ++j;
i = 0;
while (j <= size) a[i++] = a[j++];
+exit:
return i;
}
--- crypto/asn1/tasn_new.c.orig 2009-09-02 06:55:22.000000000 -0700
+++ crypto/asn1/tasn_new.c 2012-09-25 11:24:13.000000000 -0700
@@ -364,7 +364,7 @@ int ASN1_primitive_new(ASN1_VALUE **pval
default:
str = ASN1_STRING_type_new(utype);
- if (it->itype == ASN1_ITYPE_MSTRING && str)
+ if (it && it->itype == ASN1_ITYPE_MSTRING && str)
str->flags |= ASN1_STRING_FLAG_MSTRING;
*pval = (ASN1_VALUE *)str;
break;
