From e457bdd15fcf75f91b9a412147cc1dfbe46f436c Mon Sep 17 00:00:00 2001 From: inoguchi Date: Fri, 14 Jan 2022 23:55:46 +0000 Subject: [PATCH] Avoid buffer overflow in asn1_parse2 asn1_par.c r1.29 changed to access p[0] directly, and this pointer could be overrun since ASN1_get_object advances pointer to the first content octet. In case invalid ASN1 Boolean data, it has length but no content, I thought this could be happen. Adding check p with tot (diff below) will avoid this failure. Reported by oss-fuzz 43633 and 43648(later) ok tb@ --- lib/libcrypto/asn1/asn1_par.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/asn1/asn1_par.c b/lib/libcrypto/asn1/asn1_par.c index aec71d3be9a..e9fe52021cc 100644 --- a/lib/libcrypto/asn1/asn1_par.c +++ b/lib/libcrypto/asn1/asn1_par.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_par.c,v 1.31 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: asn1_par.c,v 1.32 2022/01/14 23:55:46 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -232,7 +232,7 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, goto end; } } else if (tag == V_ASN1_BOOLEAN) { - if (len != 1) { + if (len != 1 || p >= tot) { if (BIO_write(bp, "Bad boolean\n", 12) <= 0) goto end; -- 2.20.1