Hello All, In reviewing code in directory 'crypto/modes', file 'ocb128.c', there is a call to OPENSSL_realloc() which has the potential to clobber the old value of variable 'ctx->l', if the call returns NULL.
The patch file below uses a void *tmp_ptr to prevent this from occuring:
--- ocb128.c.orig 2016-03-08 16:29:47.856436204 -0800
+++ ocb128.c 2016-03-08 16:31:51.241117763 -0800
@@ -140,6 +140,7 @@
static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
{
size_t l_index = ctx->l_index;
+ void *tmp_ptr;
if (idx <= l_index) {
return ctx->l + idx;
@@ -157,10 +158,11 @@
* the index.
*/
ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
- ctx->l =
+ tmp_ptr =
OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
- if (ctx->l == NULL)
+ if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
return NULL;
+ ctx->l = tmp_ptr;
}
while (l_index < idx) {
ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4403
Please log in as guest with password guest if prompted
ocb128.c.patch
Description: Binary data
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
