Commit d3d51adc authored by Andy Polyakov's avatar Andy Polyakov
Browse files

asn1/a_int.c: fix "next negative minimum" corner case in c2i_ibuf. 



"Next" refers to negative minimum "next" to one presentable by given
number of bytes. For example, -128 is negative minimum presentable by
one byte, and -256 is "next" one.

Thanks to Kazuki Yamaguchi for report, GH#3339

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(cherry picked from commit 1e93d619)
parent 913d3a64

crypto/asn1/a_int.c

+14 −3
Original line number Diff line number Diff line
@@ -167,10 +167,21 @@ static size_t c2i_ibuf(unsigned char *b, int *pneg, 
        }

        return 1;

    }

    if (p[0] == 0 || p[0] == 0xFF)

        pad = 1;

    else



    pad = 0;

    if (p[0] == 0) {

        pad = 1;

    } else if (p[0] == 0xFF) {

        size_t i;



        /*

         * Special case [of "one less minimal negative" for given length]:

         * if any other bytes non zero it was padded, otherwise not.

         */

        for (pad = 0, i = 1; i < plen; i++)

            pad |= p[i];

        pad = pad != 0 ? 1 : 0;

    }

    /* reject illegal padding: first two octets MSB can't match */

    if (pad && (neg == (p[1] & 0x80))) {

        ASN1err(ASN1_F_C2I_IBUF, ASN1_R_ILLEGAL_PADDING);