Fix a possible integer overflow in long_c2i

Credit to OSS-Fuzz for finding this.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3088)

diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c
index 233725f8fffb8e60487b4ebdfe8b6af8f322ca8b..615d24df088fec0ed90fd9e27ace1aa2e6cb4921 100644 (file)
--- a/crypto/asn1/x_long.c
+++ b/crypto/asn1/x_long.c
@@ -149,6 +149,10 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
             utmp |= cont[i];
     }
     ltmp = (long)utmp;
+    if (ltmp < 0) {
+        ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+        return 0;
+    }
     if (neg) {
         ltmp = -ltmp;
         ltmp--;