diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2019-04-10 16:23:56 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2019-04-10 16:23:56 +0000 |
| commit | 1c2dd8d19aac833af3aaa2ccee39b18038e9c5a7 (patch) | |
| tree | 3eea4f3a5e5b1102c0567a26114f9d39743dd3c0 /lib/libcrypto | |
| parent | c165a315877af72d6f09bcf78d88dc388fe0f3ec (diff) | |
Avoid an overread caused by d2i_PrivateKey().
There are cases where the old_priv_decode() function can fail but consume
bytes. This will result in the pp pointer being advanced, which causes
d2i_PKCS8_PRIV_KEY_INFO() to be called with an advanced pointer and
incorrect length.
Fixes oss-fuzz #13803 and #14142.
ok deraadt@ tb@
Diffstat (limited to 'lib/libcrypto')
| -rw-r--r-- | lib/libcrypto/asn1/d2i_pr.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libcrypto/asn1/d2i_pr.c b/lib/libcrypto/asn1/d2i_pr.c index a657a1f3cd1..e450dee12fb 100644 --- a/lib/libcrypto/asn1/d2i_pr.c +++ b/lib/libcrypto/asn1/d2i_pr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d2i_pr.c,v 1.16 2018/04/14 07:09:21 tb Exp $ */ +/* $OpenBSD: d2i_pr.c,v 1.17 2019/04/10 16:23:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -76,6 +76,7 @@ EVP_PKEY * d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { + const unsigned char *p = *pp; EVP_PKEY *ret; if ((a == NULL) || (*a == NULL)) { @@ -100,6 +101,7 @@ d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) !ret->ameth->old_priv_decode(ret, pp, length)) { if (ret->ameth->priv_decode) { PKCS8_PRIV_KEY_INFO *p8 = NULL; + *pp = p; /* XXX */ p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length); if (!p8) goto err; |