Avoid potential divide by zero in BIO_dump_indent_cb()

Passing an indent value of 67 results in DUMP_WIDTH_LESS_IDENT returning a
value of zero, which is promptly used for division. Likewise, passing a
value larger than 67 results in a negative value being returned.

Prevent this by limiting indent to 64 (which matches OpenSSL's current
behaviour), as well as ensuring that dump_width is > 0.

Should fix oss-fuzz #52464 and #52467.

ok miod@ tb@

diff --git a/lib/libcrypto/bio/b_dump.c b/lib/libcrypto/bio/b_dump.c
index 7e1c2d7..61a83fc 100644 (file)
--- a/lib/libcrypto/bio/b_dump.c
+++ b/lib/libcrypto/bio/b_dump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: b_dump.c,v 1.22 2021/07/11 20:18:07 beck Exp $ */
+/* $OpenBSD: b_dump.c,v 1.23 2022/10/17 18:26:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -80,11 +80,11 @@ int
 BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
     void *u, const char *s, int len, int indent)
 {
-       int ret = 0;
        char buf[288 + 1], tmp[20], str[128 + 1];
        int i, j, rows, trc, written;
        unsigned char ch;
        int dump_width;
+       int ret = 0;
 
        trc = 0;
 
@@ -95,14 +95,13 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
 
        if (indent < 0)
                indent = 0;
-       if (indent) {
-               if (indent > 128)
-                       indent = 128;
-               memset(str, ' ', indent);
-       }
+       if (indent > 64)
+               indent = 64;
+       memset(str, ' ', indent);
        str[indent] = '\0';
 
-       dump_width = DUMP_WIDTH_LESS_INDENT(indent);
+       if ((dump_width = DUMP_WIDTH_LESS_INDENT(indent)) <= 0)
+               return -1;
        rows = (len / dump_width);
        if ((rows * dump_width) < len)
                rows++;