From 5c1da4cc236aa2154e350666b58ec8ac3f46f0ea Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 17 Oct 2022 18:26:41 +0000 Subject: [PATCH] Avoid potential divide by zero in BIO_dump_indent_cb() Passing an indent value of 67 results in DUMP_WIDTH_LESS_IDENT returning a value of zero, which is promptly used for division. Likewise, passing a value larger than 67 results in a negative value being returned. Prevent this by limiting indent to 64 (which matches OpenSSL's current behaviour), as well as ensuring that dump_width is > 0. Should fix oss-fuzz #52464 and #52467. ok miod@ tb@ --- lib/libcrypto/bio/b_dump.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/lib/libcrypto/bio/b_dump.c b/lib/libcrypto/bio/b_dump.c index 7e1c2d7947a..61a83fc44b2 100644 --- a/lib/libcrypto/bio/b_dump.c +++ b/lib/libcrypto/bio/b_dump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: b_dump.c,v 1.22 2021/07/11 20:18:07 beck Exp $ */ +/* $OpenBSD: b_dump.c,v 1.23 2022/10/17 18:26:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -80,11 +80,11 @@ int BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), void *u, const char *s, int len, int indent) { - int ret = 0; char buf[288 + 1], tmp[20], str[128 + 1]; int i, j, rows, trc, written; unsigned char ch; int dump_width; + int ret = 0; trc = 0; @@ -95,14 +95,13 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), if (indent < 0) indent = 0; - if (indent) { - if (indent > 128) - indent = 128; - memset(str, ' ', indent); - } + if (indent > 64) + indent = 64; + memset(str, ' ', indent); str[indent] = '\0'; - dump_width = DUMP_WIDTH_LESS_INDENT(indent); + if ((dump_width = DUMP_WIDTH_LESS_INDENT(indent)) <= 0) + return -1; rows = (len / dump_width); if ((rows * dump_width) < len) rows++; -- 2.20.1