Commit 2bd5d70c authored by Matt Caswell's avatar Matt Caswell
Browse files

Ensure EVP_EncodeUpdate handles an output length that is too long 



With the EVP_EncodeUpdate function it is the caller's responsibility to
determine how big the output buffer should be. The function writes the
amount actually used to |*outl|. However this could go negative with a
sufficiently large value for |inl|. We add a check for this error
condition.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent ee1e3cac

crypto/evp/encode.c

+8 −2
Original line number Diff line number Diff line
@@ -56,6 +56,7 @@ 
 */



#include <stdio.h>

#include <limits.h>

#include "internal/cryptlib.h"

#include <openssl/evp.h>

#include "evp_locl.h"
@@ -165,7 +166,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, 
                      const unsigned char *in, int inl)

{

    int i, j;

    unsigned int total = 0;

    size_t total = 0;



    *outl = 0;

    if (inl <= 0)
@@ -188,7 +189,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, 
        *out = '\0';

        total = j + 1;

    }

    while (inl >= ctx->length) {

    while (inl >= ctx->length && total <= INT_MAX) {

        j = EVP_EncodeBlock(out, in, ctx->length);

        in += ctx->length;

        inl -= ctx->length;
@@ -197,6 +198,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, 
        *out = '\0';

        total += j + 1;

    }

    if (total > INT_MAX) {

        /* Too much output data! */

        *outl = 0;

        return;

    }

    if (inl != 0)

        memcpy(&(ctx->enc_data[0]), in, inl);

    ctx->num = inl;