Check for potentially exploitable overflows in asn1_d2i_read_bio

[openssl.git] / crypto / buffer / buffer.c

diff --git a/crypto/buffer/buffer.c b/crypto/buffer/buffer.c
index d96487e7dbd06a2955516b91a1029bf7fbd6dfe7..52e65dfdfcbb0b287a2cf1f0e8894c69a1a03859 100644 (file)
--- a/crypto/buffer/buffer.c
+++ b/crypto/buffer/buffer.c
@@ -60,6 +60,11 @@
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 
+/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That
+ * function is applied in several functions in this file and this limit ensures
+ * that the result fits in an int. */
+#define LIMIT_BEFORE_EXPANSION 0x5ffffffc
+
 BUF_MEM *BUF_MEM_new(void)
        {
        BUF_MEM *ret;
@@ -89,10 +94,10 @@ void BUF_MEM_free(BUF_MEM *a)
        OPENSSL_free(a);
        }
 
-int BUF_MEM_grow(BUF_MEM *str, int len)
+int BUF_MEM_grow(BUF_MEM *str, size_t len)
        {
        char *ret;
-       unsigned int n;
+       size_t n;
 
        if (str->length >= len)
                {
@@ -105,6 +110,12 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
                str->length=len;
                return(len);
                }
+       /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+       if (len > LIMIT_BEFORE_EXPANSION)
+               {
+               BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
        n=(len+3)/3*4;
        if (str->data == NULL)
                ret=OPENSSL_malloc(n);
@@ -125,10 +136,10 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
        return(len);
        }
 
-int BUF_MEM_grow_clean(BUF_MEM *str, int len)
+int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
        {
        char *ret;
-       unsigned int n;
+       size_t n;
 
        if (str->length >= len)
                {
@@ -142,6 +153,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
                str->length=len;
                return(len);
                }
+       /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+       if (len > LIMIT_BEFORE_EXPANSION)
+               {
+               BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
        n=(len+3)/3*4;
        if (str->data == NULL)
                ret=OPENSSL_malloc(n);
@@ -149,7 +166,7 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
                ret=OPENSSL_realloc_clean(str->data,str->max,n);
        if (ret == NULL)
                {
-               BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+               BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
                len=0;
                }
        else
@@ -162,41 +179,25 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
        return(len);
        }
 
-char *BUF_strdup(const char *str)
+void BUF_reverse(unsigned char *out, unsigned char *in, size_t size)
        {
-       char *ret;
-       int n;
-
-       if (str == NULL) return(NULL);
-
-       n=strlen(str);
-       ret=OPENSSL_malloc(n+1);
-       if (ret == NULL) 
+       size_t i;
+       if (in)
                {
-               BUFerr(BUF_F_BUF_STRDUP,ERR_R_MALLOC_FAILURE);
-               return(NULL);
+               out += size - 1;
+               for (i = 0; i < size; i++)
+                       *in++ = *out--;
                }
-       memcpy(ret,str,n+1);
-       return(ret);
-       }
-
-size_t BUF_strlcpy(char *dst, const char *src, size_t size)
-       {
-       size_t l = 0;
-       for(; size > 1 && *src; size--)
+       else
                {
-               *dst++ = *src++;
-               l++;
+               unsigned char *q;
+               char c;
+               q = out + size - 1;
+               for (i = 0; i < size/2; i++)
+                       {
+                       c = *q;
+                       *q-- = *out;
+                       *out++ = c;
+                       }
                }
-       if (size)
-               *dst = '\0';
-       return l + strlen(src);
-       }
-
-size_t BUF_strlcat(char *dst, const char *src, size_t size)
-       {
-       size_t l = 0;
-       for(; size > 0 && *dst; size--, dst++)
-               l++;
-       return l + BUF_strlcpy(dst, src, size);
        }