a_strex.c: prevent out of bound read in do_buf() (7e6c0f56) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/asn1/a_strex.c

+23 −2

Original line number	Diff line number	Diff line
		@@ -194,18 +194,38 @@ static int do_buf(unsigned char *buf, int buflen,
		int type, unsigned char flags, char quotes, char_io io_ch,
		void *arg)
		{
		int i, outlen, len;
		int i, outlen, len, charwidth;
		unsigned char orflags, p, q;
		unsigned long c;
		p = buf;
		q = buf + buflen;
		outlen = 0;
		charwidth = type & BUF_TYPE_WIDTH_MASK;

		switch (charwidth) {
		case 4:
		if (buflen & 3) {
		ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
		return -1;
		}
		break;
		case 2:
		if (buflen & 1) {
		ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_BMPSTRING_LENGTH);
		return -1;
		}
		break;
		default:
		break;
		}

		while (p != q) {
		if (p == buf && flags & ASN1_STRFLGS_ESC_2253)
		orflags = CHARTYPE_FIRST_ESC_2253;
		else
		orflags = 0;
		switch (type & BUF_TYPE_WIDTH_MASK) {

		switch (charwidth) {
		case 4:
		c = ((unsigned long)*p++) << 24;
		c \|= ((unsigned long)*p++) << 16;
		@@ -226,6 +246,7 @@ static int do_buf(unsigned char *buf, int buflen,
		i = UTF8_getc(p, buflen, &c);
		if (i < 0)
		return -1; /* Invalid UTF8String */
		buflen -= i;
		p += i;
		break;
		default:

+4 −2

Original line number	Diff line number	Diff line
		@@ -1164,6 +1164,7 @@ int SMIME_text(BIO in, BIO out);
		* The following lines are auto generated by the script mkerr.pl. Any changes
		* made after this point may be overwritten when the script is next run.
		*/

		void ERR_load_ASN1_strings(void);

		/* Error codes for the ASN1 functions. */
		@@ -1264,6 +1265,7 @@ void ERR_load_ASN1_strings(void);
		# define ASN1_F_D2I_X509 156
		# define ASN1_F_D2I_X509_CINF 157
		# define ASN1_F_D2I_X509_PKEY 159
		# define ASN1_F_DO_BUF 221
		# define ASN1_F_I2D_ASN1_BIO_STREAM 211
		# define ASN1_F_I2D_ASN1_SET 188
		# define ASN1_F_I2D_ASN1_TIME 160

+1 −0

Original line number	Diff line number	Diff line
		@@ -166,6 +166,7 @@ static ERR_STRING_DATA ASN1_str_functs[] = {
		{ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"},
		{ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"},
		{ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"},
		{ERR_FUNC(ASN1_F_DO_BUF), "DO_BUF"},
		{ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"},
		{ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"},
		{ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"},