projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Check for potentially exploitable overflows in asn1_d2i_read_bio
[openssl.git]
/
crypto
/
buffer
/
buffer.c
diff --git
a/crypto/buffer/buffer.c
b/crypto/buffer/buffer.c
index f4b358bbbd674fab32b11a64ce0aba16b769d76a..52e65dfdfcbb0b287a2cf1f0e8894c69a1a03859 100644
(file)
--- a/
crypto/buffer/buffer.c
+++ b/
crypto/buffer/buffer.c
@@
-60,6
+60,11
@@
#include "cryptlib.h"
#include <openssl/buffer.h>
#include "cryptlib.h"
#include <openssl/buffer.h>
+/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That
+ * function is applied in several functions in this file and this limit ensures
+ * that the result fits in an int. */
+#define LIMIT_BEFORE_EXPANSION 0x5ffffffc
+
BUF_MEM *BUF_MEM_new(void)
{
BUF_MEM *ret;
BUF_MEM *BUF_MEM_new(void)
{
BUF_MEM *ret;
@@
-105,6
+110,12
@@
int BUF_MEM_grow(BUF_MEM *str, size_t len)
str->length=len;
return(len);
}
str->length=len;
return(len);
}
+ /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+ if (len > LIMIT_BEFORE_EXPANSION)
+ {
+ BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
n=(len+3)/3*4;
if (str->data == NULL)
ret=OPENSSL_malloc(n);
n=(len+3)/3*4;
if (str->data == NULL)
ret=OPENSSL_malloc(n);
@@
-142,6
+153,12
@@
int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
str->length=len;
return(len);
}
str->length=len;
return(len);
}
+ /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+ if (len > LIMIT_BEFORE_EXPANSION)
+ {
+ BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
n=(len+3)/3*4;
if (str->data == NULL)
ret=OPENSSL_malloc(n);
n=(len+3)/3*4;
if (str->data == NULL)
ret=OPENSSL_malloc(n);