Avoid an 1 byte out-of-bounds read in ASN1_PRINTABLE_type()

In case the input is not NUL terminated, the reversed check for length
and terminating NUL results in a one-byte overread. The documentation
says that the input should be a string, but in ASN.1 land you never
know...

Reported by Guido Vranken a while back

ok beck

diff --git a/lib/libcrypto/asn1/a_print.c b/lib/libcrypto/asn1/a_print.c
index ddcee54..979f5f4 100644 (file)
--- a/lib/libcrypto/asn1/a_print.c
+++ b/lib/libcrypto/asn1/a_print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_print.c,v 1.11 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: a_print.c,v 1.12 2023/03/12 11:49:02 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -72,7 +72,7 @@ ASN1_PRINTABLE_type(const unsigned char *s, int len)
        if (s == NULL)
                return (V_ASN1_PRINTABLESTRING);
 
-       while ((*s) && (len-- != 0)) {
+       while (len-- > 0 && *s != '\0') {
                c= *(s++);
                if (!(((c >= 'a') && (c <= 'z')) ||
                    ((c >= 'A') && (c <= 'Z')) ||