Fix the heap corruption in libeay32!OBJ_add_object.

Original 'sizeof(ADDED_OBJ)' was replaced with 'sizeof(*ao)'. However,
they return different sizes. Therefore as the result heap gets corrupted
and at some point later debug version of malloc() detects the corruption.

On x86 we can observe that as follows:

sizeof(*ao) == 4
sizeof(*ao[0]) == sizeof(ADDED_OBJ) == 8

Issue reproduces with either enabling CRT debug heap or Application
Verifier's full-page heap.

Basic debugging data from the moment the corruption is first detected:

0:000:x86> |
.  0    id: 283c        create  name: openssl.exe
0:000:x86> kcn
 #
00 MSVCR120D!_heap_alloc_dbg_impl
01 MSVCR120D!_nh_malloc_dbg_impl
02 MSVCR120D!_nh_malloc_dbg
03 MSVCR120D!malloc
04 LIBEAY32!default_malloc_ex
05 LIBEAY32!CRYPTO_malloc
06 LIBEAY32!lh_insert
07 LIBEAY32!OBJ_add_object
08 LIBEAY32!OBJ_create
09 openssl!add_oid_section
0a openssl!req_main
0b openssl!do_cmd
0c openssl!main
0d openssl!__tmainCRTStartup
0e openssl!mainCRTStartup
0f KERNEL32!BaseThreadInitThunk
10 ntdll_77d60000!__RtlUserThreadStart
11 ntdll_77d60000!_RtlUserThreadStart

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 991a1b7058002149033b0ab80c75cfc0431e6d94..3df7ff2457d4be132e64892385c29da64bb5c14c 100644 (file)
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -255,16 +255,16 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
             return (0);
     if ((o = OBJ_dup(obj)) == NULL)
         goto err;
-    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
         goto err2;
     if ((o->length != 0) && (obj->data != NULL))
-        if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
     if (o->sn != NULL)
-        if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
     if (o->ln != NULL)
-        if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
 
     for (i = ADDED_DATA; i <= ADDED_NID; i++) {