From e8872944128f3e6b75d300e794f06c5ae149effd Mon Sep 17 00:00:00 2001 From: tb Date: Sun, 12 Mar 2023 11:49:02 +0000 Subject: [PATCH] Avoid an 1 byte out-of-bounds read in ASN1_PRINTABLE_type() In case the input is not NUL terminated, the reversed check for length and terminating NUL results in a one-byte overread. The documentation says that the input should be a string, but in ASN.1 land you never know... Reported by Guido Vranken a while back ok beck --- lib/libcrypto/asn1/a_print.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/asn1/a_print.c b/lib/libcrypto/asn1/a_print.c index ddcee54c7d8..979f5f4de0e 100644 --- a/lib/libcrypto/asn1/a_print.c +++ b/lib/libcrypto/asn1/a_print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_print.c,v 1.11 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: a_print.c,v 1.12 2023/03/12 11:49:02 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -72,7 +72,7 @@ ASN1_PRINTABLE_type(const unsigned char *s, int len) if (s == NULL) return (V_ASN1_PRINTABLESTRING); - while ((*s) && (len-- != 0)) { + while (len-- > 0 && *s != '\0') { c= *(s++); if (!(((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) || -- 2.20.1