Security fixes brought forward from 0.9.7.

[openssl.git] / crypto / asn1 / a_bitstr.c

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 46e97038a28c8fc9d072a6eb05e385f53c868e54..f4ea96cd54e8fd4524f7adc13c7cb78555b578ef 100644 (file)
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -71,8 +71,6 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
        if (a == NULL) return(0);
 
        len=a->length;
-       ret=1+len;
-       if (pp == NULL) return(ret);
 
        if (len > 0)
                {
@@ -100,6 +98,10 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
                }
        else
                bits=0;
+
+       ret=1+len;
+       if (pp == NULL) return(ret);
+
        p= *pp;
 
        *(p++)=(unsigned char)bits;
@@ -118,6 +120,12 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
        unsigned char *p,*s;
        int i;
 
+       if (len < 1)
+               {
+               i=ASN1_R_STRING_TOO_SHORT;
+               goto err;
+               }
+
        if ((a == NULL) || ((*a) == NULL))
                {
                if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
@@ -172,6 +180,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
        w=n/8;
        v=1<<(7-(n&0x07));
        iv= ~v;
+       if (!value) v=0;
 
        a->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear, set on write */
 
@@ -182,7 +191,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
                if (a->data == NULL)
                        c=(unsigned char *)OPENSSL_malloc(w+1);
                else
-                       c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
+                       c=(unsigned char *)OPENSSL_realloc_clean(a->data,
+                                                                a->length,
+                                                                w+1);
                if (c == NULL) return(0);
                if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
                a->data=c;