Make sure the return value isn't bigger than the buffer len
Reviewed-by: Richard Levitte <levitte@openssl.org>
ret = (int)bio_call_callback(b, BIO_CB_READ | BIO_CB_RETURN, data,
datal, 0, 0L, ret, read);
ret = (int)bio_call_callback(b, BIO_CB_READ | BIO_CB_RETURN, data,
datal, 0, 0L, ret, read);
+ /* Shouldn't happen */
+ if (ret > 0 && *read > datal)
+ return -1;
+
+ if (outl < 0) {
+ BIOerr(BIO_F_BIO_GETS, BIO_R_INVALID_ARGUMENT);
+ return 0;
+ }
+
if (b->callback != NULL || b->callback_ex != NULL) {
ret = (int)bio_call_callback(b, BIO_CB_GETS, out, outl, 0, 0L, 1, NULL);
if (ret <= 0)
if (b->callback != NULL || b->callback_ex != NULL) {
ret = (int)bio_call_callback(b, BIO_CB_GETS, out, outl, 0, 0L, 1, NULL);
if (ret <= 0)
0, 0L, ret, &read);
if (ret > 0) {
0, 0L, ret, &read);
if (ret > 0) {
+ /* Shouldn't happen */
+ if (read > (size_t)outl)
ret = -1;
else
ret = (int)read;
ret = -1;
else
ret = (int)read;