Fix buffer overrun in ASN1_parse().

Fix buffer overrun in asn1_get_length(). Reproducer: asn1parse-reproduce crash-6bfd417f47bc940f6984f5e639b637fd4e6074bc Fix length calculations. Reproducer: asn1parse-reproduce crash-1819d0e54cd2b0430626c59053e6077ef04c2ffb Reproducer: asn1parse-reproduce crash-9969db8603e644ddc0ba3459b51eac7a2c4b729b Make i long. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Ben Laurie <ben@links.org> 2016-03-29 19:37:57 +0100
committer: Ben Laurie <ben@links.org> 2016-03-30 20:28:44 +0100
commit: 79c7f74d6cefd5d32fa20e69195ad3de834ce065 (patch)
tree: 843eaf62c96f9adfcbbd633fac1f7f863b362539 /crypto/asn1/asn1_par.c
parent: 087ca80ad83071dde0bb6bc1c28c743caa00eaf8 (diff)
download: openssl-79c7f74d6cefd5d32fa20e69195ad3de834ce065.tar.gz
1 files changed, 13 insertions, 4 deletions
diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index 773b8b2ee3..b721273cf1 100644
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -164,6 +164,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
         if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
             goto end;
         if (j & V_ASN1_CONSTRUCTED) {
+            const unsigned char *sp = p;
+                
             ep = p + len;
             if (BIO_write(bp, "\n", 1) <= 0)
                 goto end;
@@ -181,19 +183,25 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                         ret = 0;
                         goto end;
                     }
-                    if ((r == 2) || (p >= tot))
+                    if ((r == 2) || (p >= tot)) {
+                        len = p - sp;
                         break;
+                    }
                 }
-            } else
+            } else {
                 while (p < ep) {
-                    r = asn1_parse2(bp, &p, (long)len,
+                    sp = p;
+                    r = asn1_parse2(bp, &p, len,
                                     offset + (p - *pp), depth + 1,
                                     indent, dump);
                     if (r == 0) {
                         ret = 0;
                         goto end;
                     }
+                    len -= p - sp;
                 }
+                len = length;
+            }
         } else if (xclass != 0) {
             p += len;
             if (BIO_write(bp, "\n", 1) <= 0)
@@ -229,7 +237,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                         goto end;
                     dump_cont = 1;
                 }
-                BIO_printf(bp, ":%u", p[0]);
+                if (len > 0)
+                    BIO_printf(bp, ":%u", p[0]);
             } else if (tag == V_ASN1_BMPSTRING) {
                 /* do the BMP thang */
             } else if (tag == V_ASN1_OCTET_STRING) {
author	Ben Laurie <ben@links.org>	2016-03-29 19:37:57 +0100
committer	Ben Laurie <ben@links.org>	2016-03-30 20:28:44 +0100
commit	79c7f74d6cefd5d32fa20e69195ad3de834ce065 (patch)
tree	843eaf62c96f9adfcbbd633fac1f7f863b362539 /crypto/asn1/asn1_par.c
parent	087ca80ad83071dde0bb6bc1c28c743caa00eaf8 (diff)
download	openssl-79c7f74d6cefd5d32fa20e69195ad3de834ce065.tar.gz