From 36e619d70f86f9dd52c57b6ac8a3bfea3c0a2745 Mon Sep 17 00:00:00 2001 From: Guido Vranken Date: Fri, 3 May 2019 15:44:38 +0200 Subject: [PATCH] EVP_EncryptUpdate, EVP_EncryptFinal_ex: don't branch on uninitialized memory If ctx->cipher->cupdate/ctx->cipher->cfinal failed, 'soutl' is left uninitialized. This patch incorporates the same logic as present in EVP_DecryptUpdate and EVP_DecryptFinal_ex: only branch on 'soutl' if the preceding call succeeded. Bug found by OSS-Fuzz. Signed-off-by: Guido Vranken Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8874) --- crypto/evp/evp_enc.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 4bc6370325..29b707a026 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -590,11 +590,14 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, inl + (blocksize == 1 ? 0 : blocksize), in, (size_t)inl); - if (soutl > INT_MAX) { - EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_UPDATE_ERROR); - return 0; + if (ret) { + if (soutl > INT_MAX) { + EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_UPDATE_ERROR); + return 0; + } + *outl = soutl; } - *outl = soutl; + return ret; /* TODO(3.0): Remove legacy code below */ @@ -640,11 +643,13 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) ret = ctx->cipher->cfinal(ctx->provctx, out, &soutl, blocksize == 1 ? 0 : blocksize); - if (soutl > INT_MAX) { - EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_FINAL_ERROR); - return 0; + if (ret) { + if (soutl > INT_MAX) { + EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_FINAL_ERROR); + return 0; + } + *outl = soutl; } - *outl = soutl; return ret; -- 2.34.1