File 0001-Fix-buffer-overrun-in-ASN1_parse.patch of Package libopenssl0_9_8

From 697283ba418b21c4c0682d7050264b492e2ea4e2 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Tue, 19 Apr 2016 22:23:24 -0400
Subject: [PATCH] Fix buffer overrun in ASN1_parse().

Backport of commits:

        79c7f74d6cefd5d32fa20e69195ad3de834ce065
	bdcd660e33710079b495cf5cc6a1aaa5d2dcd317

from master.

Reviewed-by: Matt Caswell <matt@openssl.org>
---
 crypto/asn1/asn1_lib.c | 18 +++++++-----------
 crypto/asn1/asn1_par.c | 17 +++++++++++++----
 2 files changed, 20 insertions(+), 15 deletions(-)

Index: openssl-0.9.8zh/crypto/asn1/asn1_lib.c
===================================================================
--- openssl-0.9.8zh.orig/crypto/asn1/asn1_lib.c	2016-05-03 17:40:38.743725669 +0200
+++ openssl-0.9.8zh/crypto/asn1/asn1_lib.c	2016-05-03 17:43:49.286728306 +0200
@@ -63,7 +63,7 @@
 #include <openssl/asn1_mac.h>
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           int max);
+                           long max);
 static void asn1_put_length(unsigned char **pp, int length);
 const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
 
@@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char
     }
     *ptag = tag;
     *pclass = xclass;
-    if (!asn1_get_length(&p, &inf, plength, (int)max))
+    if (!asn1_get_length(&p, &inf, plength, max))
         goto err;
 
     if (inf && !(ret & V_ASN1_CONSTRUCTED))
@@ -159,11 +159,11 @@ int ASN1_get_object(const unsigned char
 }
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           int max)
+                           long max)
 {
     const unsigned char *p = *pp;
     unsigned long ret = 0;
-    unsigned int i;
+    unsigned long i;
 
     if (max-- < 1)
         return (0);
@@ -175,15 +175,11 @@ static int asn1_get_length(const unsigne
         *inf = 0;
         i = *p & 0x7f;
         if (*(p++) & 0x80) {
-            if (i > sizeof(long))
+            if (i > sizeof(ret) || max < i)
                 return 0;
-            if (max-- == 0)
-                return (0);
             while (i-- > 0) {
                 ret <<= 8L;
                 ret |= *(p++);
-                if (max-- == 0)
-                    return (0);
             }
         } else
             ret = i;
Index: openssl-0.9.8zh/crypto/asn1/asn1_par.c
===================================================================
--- openssl-0.9.8zh.orig/crypto/asn1/asn1_par.c	2016-05-03 17:40:38.743725669 +0200
+++ openssl-0.9.8zh/crypto/asn1/asn1_par.c	2016-05-03 17:51:25.504916639 +0200
@@ -179,6 +179,7 @@ static int asn1_parse2(BIO *bp, const un
         if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
             goto end;
         if (j & V_ASN1_CONSTRUCTED) {
+            const unsigned char *sp;
             ep = p + len;
             if (BIO_write(bp, "\n", 1) <= 0)
                 goto end;
@@ -188,6 +189,7 @@ static int asn1_parse2(BIO *bp, const un
                 goto end;
             }
             if ((j == 0x21) && (len == 0)) {
+                sp = p;
                 for (;;) {
                     r = asn1_parse2(bp, &p, (long)(tot - p),
                                     offset + (p - *pp), depth + 1,
@@ -196,18 +198,25 @@ static int asn1_parse2(BIO *bp, const un
                         ret = 0;
                         goto end;
                     }
-                    if ((r == 2) || (p >= tot))
-                        break;
+		if ((r == 2) || (p >= tot))
+			{
+			len = p - sp;
+			break;
+			}
                 }
-            } else
+            } else {
+		long tmp = len;
                 while (p < ep) {
-                    r = asn1_parse2(bp, &p, (long)len,
+			sp = p;
+			r=asn1_parse2(bp,&p,tmp,
                                     offset + (p - *pp), depth + 1,
                                     indent, dump);
                     if (r == 0) {
                         ret = 0;
                         goto end;
                     }
+		tmp -= p - sp;
+		}
                 }
         } else if (xclass != 0) {
             p += len;
openSUSE Build Service is sponsored by