artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c9c35ed)
Avoid signed integer overflow due to unary negation
authortb <tb@openbsd.org>
Wed, 10 Aug 2022 16:51:26 +0000 (16:51 +0000)
committertb <tb@openbsd.org>
Wed, 10 Aug 2022 16:51:26 +0000 (16:51 +0000)
The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes

oss-fuzz #49944

with/ok jsing

lib/libcrypto/asn1/t_x509.c patch | blob | history

diff --git a/lib/libcrypto/asn1/t_x509.c b/lib/libcrypto/asn1/t_x509.c
index abcce54..b2fd80b 100644 (file)
--- a/lib/libcrypto/asn1/t_x509.c
+++ b/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.38 2022/08/10 11:15:08 tb Exp $ */
+/* $OpenBSD: t_x509.c,v 1.39 2022/08/10 16:51:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,7 +118,6 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
        X509_CINF *ci;
        ASN1_INTEGER *bs;
        EVP_PKEY *pkey = NULL;
-       const char *neg;
 
        if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
                mlch = '\n';
@@ -155,18 +154,15 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                l = -1;
                if (bs->length <= (int)sizeof(long))
                        l = ASN1_INTEGER_get(bs);
-               if (l != -1) {
-                       if (bs->type == V_ASN1_NEG_INTEGER) {
-                               l = -l;
-                               neg = "-";
-                       } else
-                               neg = "";
-                       if (BIO_printf(bp, " %s%lu (%s0x%lx)\n",
-                           neg, l, neg, l) <= 0)
+               if (l >= 0) {
+                       if (BIO_printf(bp, " %ld (0x%lx)\n", l, l) <= 0)
                                goto err;
                } else {
-                       neg = (bs->type == V_ASN1_NEG_INTEGER) ?
-                           " (Negative)" : "";
+                       const char *neg = "";
+
+                       if (bs->type == V_ASN1_NEG_INTEGER)
+                               neg = " (Negative)";
+
                        if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0)
                                goto err;
                        for (i = 0; i < bs->length; i++) {
OpenBSD src
by Ahmet Artu Yildirim