Fix a possible integer overflow in long_c2i
authorMatt Caswell <matt@openssl.org>
Mon, 27 Mar 2017 15:11:11 +0000 (16:11 +0100)
committerRichard Levitte <levitte@openssl.org>
Tue, 4 Apr 2017 09:29:23 +0000 (11:29 +0200)
Credit to OSS-Fuzz for finding this.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3088)

crypto/asn1/x_long.c

index 233725f..615d24d 100644 (file)
@@ -149,6 +149,10 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
             utmp |= cont[i];
     }
     ltmp = (long)utmp;
+    if (ltmp < 0) {
+        ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+        return 0;
+    }
     if (neg) {
         ltmp = -ltmp;
         ltmp--;