Avoid an oob access in asn1_item_free()

As explained in a comment, this needs to loop backwards and the last tt--
ends up pointing at &it->templates[-1], which isn't ok. Use a simple way
of looping, which is also ugly and involves some type confusion as pointed
out by claudio. However, type confusion is common in libcrypto's asn1 code
and won't be fixed anytime soon anyway.

ok jsing

1 files changed, 3 insertions, 4 deletions

diff --git a/lib/libcrypto/asn1/tasn_fre.c b/lib/libcrypto/asn1/tasn_fre.c
index 83c073b55db..0e259a13ab9 100644
--- a/lib/libcrypto/asn1/tasn_fre.c
+++ b/lib/libcrypto/asn1/tasn_fre.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_fre.c,v 1.23 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_fre.c,v 1.24 2024/12/11 11:22:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -152,10 +152,9 @@ asn1_item_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 		 * determine the type of the field it defines. So
 		 * free up in reverse order.
 		 */
-		tt = it->templates + it->tcount - 1;
-		for (i = 0; i < it->tcount; tt--, i++) {
+		for (i = it->tcount - 1; i >= 0; i--) {
 			ASN1_VALUE **pseqval;
-			seqtt = asn1_do_adb(pval, tt, 0);
+			seqtt = asn1_do_adb(pval, &it->templates[i], 0);
 			if (!seqtt)
 				continue;
 			pseqval = asn1_get_field_ptr(pval, seqtt);