diff options
author | Neil Horman <nhorman@openssl.org> | 2024-07-16 17:38:33 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-07-18 19:09:10 +0200 |
commit | 50066236eb3b31c93aaa935ca38f5cc1ec056696 (patch) | |
tree | af44e9b7e10e6fa906874be6ce869bfc56740a8c | |
parent | Fix coverity-1610057 (diff) | |
download | openssl-50066236eb3b31c93aaa935ca38f5cc1ec056696.tar.xz openssl-50066236eb3b31c93aaa935ca38f5cc1ec056696.zip |
Fix coverity-1604661
Coverity called out an error in asn1parse_main, indicating that the
for(;;) loop which repeatedly reads from a bio and updates the length
value num, may overflow said value prior to exiting the loop.
We could probably call this a false positive, but on very large PEM
file, I suppose it could happen, so just add a check to ensure that num
doesn't go from a large positive to a large negative value inside the
loop
Fixes openssl/private#571
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24910)
-rw-r--r-- | apps/asn1parse.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/apps/asn1parse.c b/apps/asn1parse.c index bf62f85947..26b7cf2173 100644 --- a/apps/asn1parse.c +++ b/apps/asn1parse.c @@ -216,6 +216,9 @@ int asn1parse_main(int argc, char **argv) i = BIO_read(in, &(buf->data[num]), BUFSIZ); if (i <= 0) break; + /* make sure num doesn't overflow */ + if (i > LONG_MAX - num) + goto end; num += i; } } |