File openssl-CVE-2016-2109.patch of Package openssl

From 3d411057a5e28530fffc40b257698f453c89aa87 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Mon, 11 Apr 2016 13:57:20 +0100
Subject: [PATCH] Harden ASN.1 BIO handling of large amounts of data.

If the ASN.1 BIO is presented with a large length field read it in
chunks of increasing size checking for EOF on each read. This prevents
small files allocating excessive amounts of data.

CVE-2016-2109

Thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit c62981390d6cf9e3d612c489b8b77c2913b25807)
---
 crypto/asn1/a_d2i_fp.c | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

Index: openssl-1.0.1i/crypto/asn1/a_d2i_fp.c
===================================================================
--- openssl-1.0.1i.orig/crypto/asn1/a_d2i_fp.c	2016-04-28 17:32:35.939780310 +0200
+++ openssl-1.0.1i/crypto/asn1/a_d2i_fp.c	2016-04-28 17:38:46.771860473 +0200
@@ -139,6 +139,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *
 #endif
 
 #define HEADER_SIZE   8
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	{
 	BUF_MEM *b;
@@ -230,6 +231,7 @@ static int asn1_d2i_read_bio(BIO *in, BU
 			want=c.slen;
 			if (want > (len-off))
 				{
+		                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
 				want-=(len-off);
 				if (want > INT_MAX /* BIO_read takes an int length */ ||
 					len+want < len)
@@ -237,24 +239,35 @@ static int asn1_d2i_read_bio(BIO *in, BU
 						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
 						goto err;
 						}
-				if (!BUF_MEM_grow_clean(b,len+want))
-					{
-					ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
-					goto err;
-					}
 				while (want > 0)
 					{
-					i=BIO_read(in,&(b->data[len]),want);
-					if (i <= 0)
-						{
-						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-						    ASN1_R_NOT_ENOUGH_DATA);
+					    /*
+					     * Read content in chunks of increasing size
+					     * so we can return an error for EOF without
+					     * having to allocate the entire content length
+					     * in one go.
+					     */
+					    size_t chunk = want > chunk_max ? chunk_max : want;
+
+					    if (!BUF_MEM_grow_clean(b, len + chunk)) {
+						ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
 						goto err;
 						}
+					    want -= chunk;
+					    while (chunk > 0) {
+						i = BIO_read(in, &(b->data[len]), chunk);
+						if (i <= 0) {
+						    ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+							    ASN1_R_NOT_ENOUGH_DATA);
+						    goto err;
+						}
 					/* This can't overflow because
 					 * |len+want| didn't overflow. */
 					len+=i;
-					want-=i;
+					chunk-=i;
+					}
+				    if (chunk_max < INT_MAX/2)
+					chunk_max *= 2;
 					}
 				}
 			if (off + c.slen < off)