diff options
author | Ben Laurie <ben@links.org> | 2016-03-29 19:37:57 +0100 |
---|---|---|
committer | Ben Laurie <ben@links.org> | 2016-03-30 20:28:44 +0100 |
commit | 79c7f74d6cefd5d32fa20e69195ad3de834ce065 (patch) | |
tree | 843eaf62c96f9adfcbbd633fac1f7f863b362539 /crypto/asn1/asn1_par.c | |
parent | 087ca80ad83071dde0bb6bc1c28c743caa00eaf8 (diff) | |
download | openssl-79c7f74d6cefd5d32fa20e69195ad3de834ce065.tar.gz |
Fix buffer overrun in ASN1_parse().
Fix buffer overrun in asn1_get_length().
Reproducer: asn1parse-reproduce crash-6bfd417f47bc940f6984f5e639b637fd4e6074bc
Fix length calculations.
Reproducer: asn1parse-reproduce crash-1819d0e54cd2b0430626c59053e6077ef04c2ffb
Reproducer: asn1parse-reproduce crash-9969db8603e644ddc0ba3459b51eac7a2c4b729b
Make i long.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/asn1/asn1_par.c')
-rw-r--r-- | crypto/asn1/asn1_par.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c index 773b8b2ee3..b721273cf1 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_par.c @@ -164,6 +164,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0)) goto end; if (j & V_ASN1_CONSTRUCTED) { + const unsigned char *sp = p; + ep = p + len; if (BIO_write(bp, "\n", 1) <= 0) goto end; @@ -181,19 +183,25 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, ret = 0; goto end; } - if ((r == 2) || (p >= tot)) + if ((r == 2) || (p >= tot)) { + len = p - sp; break; + } } - } else + } else { while (p < ep) { - r = asn1_parse2(bp, &p, (long)len, + sp = p; + r = asn1_parse2(bp, &p, len, offset + (p - *pp), depth + 1, indent, dump); if (r == 0) { ret = 0; goto end; } + len -= p - sp; } + len = length; + } } else if (xclass != 0) { p += len; if (BIO_write(bp, "\n", 1) <= 0) @@ -229,7 +237,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, goto end; dump_cont = 1; } - BIO_printf(bp, ":%u", p[0]); + if (len > 0) + BIO_printf(bp, ":%u", p[0]); } else if (tag == V_ASN1_BMPSTRING) { /* do the BMP thang */ } else if (tag == V_ASN1_OCTET_STRING) { |