Fix potential buffer overrun for EBCDIC.

2 files changed, 23 insertions, 6 deletions

diff --git a/CHANGES b/CHANGES
index f817e93566..e3f2653945 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,9 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) Fix potential buffer overrun for EBCDIC.
+     [Ulf Moeller]
+
   *) New function OCSP_copy_nonce() to copy nonce value (if present) from
      request to response.
      [Steve Henson]
diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c
index 62ec1f1db3..8a7659eefc 100644
--- a/crypto/x509v3/v3_prn.c
+++ b/crypto/x509v3/v3_prn.c
@@ -87,9 +87,16 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
 		else BIO_printf(out, "%s:%s", nval->name, nval->value);
 #else
 		else {
-			char tmp[10240]; /* 10k is BIO_printf's limit anyway */
-			ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1);
-			BIO_printf(out, "%s:%s", nval->name, tmp);
+			int len;
+			char *tmp;
+			len = strlen(nval->value)+1;
+			tmp = OPENSSL_malloc(len);
+			if (tmp)
+			{
+				ascii2ebcdic(tmp, nval->value, len);
+				BIO_printf(out, "%s:%s", nval->name, tmp);
+				OPENSSL_free(tmp);
+			}
 		}
 #endif
 		if(ml) BIO_puts(out, "\n");
@@ -123,9 +130,16 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int inde
 		BIO_printf(out, "%*s%s", indent, "", value);
 #else
 		{
-			char tmp[10240]; /* 10k is BIO_printf's limit anyway */
-			ascii2ebcdic(tmp, value, strlen(value)+1);
-			BIO_printf(out, "%*s%s", indent, "", tmp);
+			int len;
+			char *tmp;
+			len = strlen(value)+1;
+			tmp = OPENSSL_malloc(len);
+			if (tmp)
+			{
+				ascii2ebcdic(tmp, value, len);
+				BIO_printf(out, "%*s%s", indent, "", tmp);
+				OPENSSL_free(tmp);
+			}
 		}
 #endif
 	} else if(method->i2v) {