From: tb <tb@openbsd.org>
Date: Tue, 8 Nov 2022 16:48:28 +0000 (+0000)
Subject: Avoid signed integer overflow in i2c_ASN1_BIT_STRING()
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f81cc285d2aed8b36615119a306533696f3eb66c;p=openbsd

Avoid signed integer overflow in i2c_ASN1_BIT_STRING()

If the length of the bitstring is INT_MAX, adding 1 to it is undefined
behavior, so error out before doing so.

Based on BoringSSL eeb3333f by davidben

ok beck joshua
---

diff --git a/lib/libcrypto/asn1/a_bitstr.c b/lib/libcrypto/asn1/a_bitstr.c
index c30b8f5b65e..a4a379a9a01 100644
--- a/lib/libcrypto/asn1/a_bitstr.c
+++ b/lib/libcrypto/asn1/a_bitstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_bitstr.c,v 1.36 2022/05/17 09:17:20 tb Exp $ */
+/* $OpenBSD: a_bitstr.c,v 1.37 2022/11/08 16:48:28 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -241,6 +241,14 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	if (a == NULL)
 		return (0);
 
+	if (a->length == INT_MAX)
+		return (0);
+
+	ret = a->length + 1;
+
+	if (pp == NULL)
+		return (ret);
+
 	len = a->length;
 
 	if (len > 0) {
@@ -274,10 +282,6 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	} else
 		bits = 0;
 
-	ret = 1 + len;
-	if (pp == NULL)
-		return (ret);
-
 	p= *pp;
 
 	*(p++) = (unsigned char)bits;