diff options
author | Kinichiro Inoguchi <inoguchi@cvs.openbsd.org> | 2022-01-14 23:55:47 +0000 |
---|---|---|
committer | Kinichiro Inoguchi <inoguchi@cvs.openbsd.org> | 2022-01-14 23:55:47 +0000 |
commit | 396bd9843c80153858dfdc47e306af0898417639 (patch) | |
tree | 958785bdb5ed09d4c2fedbaed2ef5072064aea9a /lib/libcrypto/asn1/asn1_par.c | |
parent | de3e1c73f68b33e2d736448704789eb8bbddb66f (diff) |
Avoid buffer overflow in asn1_parse2
asn1_par.c r1.29 changed to access p[0] directly, and this pointer could be
overrun since ASN1_get_object advances pointer to the first content octet.
In case invalid ASN1 Boolean data, it has length but no content, I thought
this could be happen.
Adding check p with tot (diff below) will avoid this failure.
Reported by oss-fuzz 43633 and 43648(later)
ok tb@
Diffstat (limited to 'lib/libcrypto/asn1/asn1_par.c')
-rw-r--r-- | lib/libcrypto/asn1/asn1_par.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libcrypto/asn1/asn1_par.c b/lib/libcrypto/asn1/asn1_par.c index aec71d3be9a..e9fe52021cc 100644 --- a/lib/libcrypto/asn1/asn1_par.c +++ b/lib/libcrypto/asn1/asn1_par.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_par.c,v 1.31 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: asn1_par.c,v 1.32 2022/01/14 23:55:46 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -232,7 +232,7 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, goto end; } } else if (tag == V_ASN1_BOOLEAN) { - if (len != 1) { + if (len != 1 || p >= tot) { if (BIO_write(bp, "Bad boolean\n", 12) <= 0) goto end; |