Avoid buffer overflow in asn1_parse2

asn1_par.c r1.29 changed to access p[0] directly, and this pointer could be
overrun since ASN1_get_object advances pointer to the first content octet.
In case invalid ASN1 Boolean data, it has length but no content, I thought
this could be happen.
Adding check p with tot (diff below) will avoid this failure.

Reported by oss-fuzz 43633 and 43648(later)

ok tb@

diff --git a/lib/libcrypto/asn1/asn1_par.c b/lib/libcrypto/asn1/asn1_par.c
index aec71d3..e9fe520 100644 (file)
--- a/lib/libcrypto/asn1/asn1_par.c
+++ b/lib/libcrypto/asn1/asn1_par.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_par.c,v 1.31 2021/12/25 13:17:48 jsing Exp $ */
+/* $OpenBSD: asn1_par.c,v 1.32 2022/01/14 23:55:46 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -232,7 +232,7 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset,
                                                goto end;
                                }
                        } else if (tag == V_ASN1_BOOLEAN) {
-                               if (len != 1) {
+                               if (len != 1 || p >= tot) {
                                        if (BIO_write(bp, "Bad boolean\n",
                                            12) <= 0)
                                                goto end;