File 0001-Fix-buffer-overrun-in-ASN1_parse.patch of Package libopenssl0_9_8
From 697283ba418b21c4c0682d7050264b492e2ea4e2 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Tue, 19 Apr 2016 22:23:24 -0400
Subject: [PATCH] Fix buffer overrun in ASN1_parse().
Backport of commits:
79c7f74d6cefd5d32fa20e69195ad3de834ce065
bdcd660e33710079b495cf5cc6a1aaa5d2dcd317
from master.
Reviewed-by: Matt Caswell <matt@openssl.org>
---
crypto/asn1/asn1_lib.c | 18 +++++++-----------
crypto/asn1/asn1_par.c | 17 +++++++++++++----
2 files changed, 20 insertions(+), 15 deletions(-)
Index: openssl-0.9.8zh/crypto/asn1/asn1_lib.c
===================================================================
--- openssl-0.9.8zh.orig/crypto/asn1/asn1_lib.c 2016-05-03 17:40:38.743725669 +0200
+++ openssl-0.9.8zh/crypto/asn1/asn1_lib.c 2016-05-03 17:43:49.286728306 +0200
@@ -63,7 +63,7 @@
#include <openssl/asn1_mac.h>
static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
- int max);
+ long max);
static void asn1_put_length(unsigned char **pp, int length);
const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
@@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char
}
*ptag = tag;
*pclass = xclass;
- if (!asn1_get_length(&p, &inf, plength, (int)max))
+ if (!asn1_get_length(&p, &inf, plength, max))
goto err;
if (inf && !(ret & V_ASN1_CONSTRUCTED))
@@ -159,11 +159,11 @@ int ASN1_get_object(const unsigned char
}
static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
- int max)
+ long max)
{
const unsigned char *p = *pp;
unsigned long ret = 0;
- unsigned int i;
+ unsigned long i;
if (max-- < 1)
return (0);
@@ -175,15 +175,11 @@ static int asn1_get_length(const unsigne
*inf = 0;
i = *p & 0x7f;
if (*(p++) & 0x80) {
- if (i > sizeof(long))
+ if (i > sizeof(ret) || max < i)
return 0;
- if (max-- == 0)
- return (0);
while (i-- > 0) {
ret <<= 8L;
ret |= *(p++);
- if (max-- == 0)
- return (0);
}
} else
ret = i;
Index: openssl-0.9.8zh/crypto/asn1/asn1_par.c
===================================================================
--- openssl-0.9.8zh.orig/crypto/asn1/asn1_par.c 2016-05-03 17:40:38.743725669 +0200
+++ openssl-0.9.8zh/crypto/asn1/asn1_par.c 2016-05-03 17:51:25.504916639 +0200
@@ -179,6 +179,7 @@ static int asn1_parse2(BIO *bp, const un
if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
goto end;
if (j & V_ASN1_CONSTRUCTED) {
+ const unsigned char *sp;
ep = p + len;
if (BIO_write(bp, "\n", 1) <= 0)
goto end;
@@ -188,6 +189,7 @@ static int asn1_parse2(BIO *bp, const un
goto end;
}
if ((j == 0x21) && (len == 0)) {
+ sp = p;
for (;;) {
r = asn1_parse2(bp, &p, (long)(tot - p),
offset + (p - *pp), depth + 1,
@@ -196,18 +198,25 @@ static int asn1_parse2(BIO *bp, const un
ret = 0;
goto end;
}
- if ((r == 2) || (p >= tot))
- break;
+ if ((r == 2) || (p >= tot))
+ {
+ len = p - sp;
+ break;
+ }
}
- } else
+ } else {
+ long tmp = len;
while (p < ep) {
- r = asn1_parse2(bp, &p, (long)len,
+ sp = p;
+ r=asn1_parse2(bp,&p,tmp,
offset + (p - *pp), depth + 1,
indent, dump);
if (r == 0) {
ret = 0;
goto end;
}
+ tmp -= p - sp;
+ }
}
} else if (xclass != 0) {
p += len;
