From: tb Date: Fri, 13 Jan 2023 14:46:08 +0000 (+0000) Subject: Prevent 1-byte out-of-bounds read in i2c_ASN1_BIT_STRING X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=1cbbcd438e8558d8fc1c3d49d771aa37fe5372cb;p=openbsd Prevent 1-byte out-of-bounds read in i2c_ASN1_BIT_STRING If an ASN.1 BIT STRING a of length > 0 contains only zero bytes in a->data, this old code would end up reading from a->data[-1]. This may or may not crash. Luckily, anton observed two openssl-ruby regress test failures in the last few days, which could eventually be traced back to this (after a lot of painful digging due to coredumps not working properly). ok jsing --- diff --git a/lib/libcrypto/asn1/a_bitstr.c b/lib/libcrypto/asn1/a_bitstr.c index a4a379a9a01..767055144df 100644 --- a/lib/libcrypto/asn1/a_bitstr.c +++ b/lib/libcrypto/asn1/a_bitstr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_bitstr.c,v 1.37 2022/11/08 16:48:28 tb Exp $ */ +/* $OpenBSD: a_bitstr.c,v 1.38 2023/01/13 14:46:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -255,11 +255,13 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) { bits = (int)a->flags & 0x07; } else { + j = 0; for (; len > 0; len--) { if (a->data[len - 1]) break; } - j = a->data[len - 1]; + if (len > 0) + j = a->data[len - 1]; if (j & 0x01) bits = 0; else if (j & 0x02)