Fix Coverity 1503096: out-of-bounds access

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/17898)

(cherry picked from commit d1592f21c0d4c2c94a8c6004cf7b5cad2dcb2637)

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index d0cf7d995fe6330537fd19bc8bd2b86ad75f7ad4..19a07debd9486acc63811a04fd4188cf732443cf 100644 (file)
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -344,8 +344,10 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
 
         case EVP_CIPH_CBC_MODE:
             n = EVP_CIPHER_CTX_get_iv_length(ctx);
-            if (!ossl_assert(n >= 0 && n <= (int)sizeof(ctx->iv)))
-                    return 0;
+            if (n < 0 || n > (int)sizeof(ctx->iv)) {
+                ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
+                return 0;
+            }
             if (iv != NULL)
                 memcpy(ctx->oiv, iv, n);
             memcpy(ctx->iv, ctx->oiv, n);
@@ -355,8 +357,11 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
             ctx->num = 0;
             /* Don't reuse IV for CTR mode */
             if (iv != NULL) {
-                if ((n = EVP_CIPHER_CTX_get_iv_length(ctx)) <= 0)
+                n = EVP_CIPHER_CTX_get_iv_length(ctx);
+                if (n <= 0 || n > (int)sizeof(ctx->iv)) {
+                    ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
                     return 0;
+                }
                 memcpy(ctx->iv, iv, n);
             }
             break;