summaryrefslogtreecommitdiff
path: root/lib/libcrypto/asn1/asn1_par.c
diff options
context:
space:
mode:
authorKinichiro Inoguchi <inoguchi@cvs.openbsd.org>2022-01-14 23:55:47 +0000
committerKinichiro Inoguchi <inoguchi@cvs.openbsd.org>2022-01-14 23:55:47 +0000
commit396bd9843c80153858dfdc47e306af0898417639 (patch)
tree958785bdb5ed09d4c2fedbaed2ef5072064aea9a /lib/libcrypto/asn1/asn1_par.c
parentde3e1c73f68b33e2d736448704789eb8bbddb66f (diff)
Avoid buffer overflow in asn1_parse2
asn1_par.c r1.29 changed to access p[0] directly, and this pointer could be overrun since ASN1_get_object advances pointer to the first content octet. In case invalid ASN1 Boolean data, it has length but no content, I thought this could be happen. Adding check p with tot (diff below) will avoid this failure. Reported by oss-fuzz 43633 and 43648(later) ok tb@
Diffstat (limited to 'lib/libcrypto/asn1/asn1_par.c')
-rw-r--r--lib/libcrypto/asn1/asn1_par.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libcrypto/asn1/asn1_par.c b/lib/libcrypto/asn1/asn1_par.c
index aec71d3be9a..e9fe52021cc 100644
--- a/lib/libcrypto/asn1/asn1_par.c
+++ b/lib/libcrypto/asn1/asn1_par.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_par.c,v 1.31 2021/12/25 13:17:48 jsing Exp $ */
+/* $OpenBSD: asn1_par.c,v 1.32 2022/01/14 23:55:46 inoguchi Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -232,7 +232,7 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset,
goto end;
}
} else if (tag == V_ASN1_BOOLEAN) {
- if (len != 1) {
+ if (len != 1 || p >= tot) {
if (BIO_write(bp, "Bad boolean\n",
12) <= 0)
goto end;