Reject long inputs in c2i_ASN1_INTEGER.

Thanks to mlbrown for reporting this. Bug: chromium:942269 Change-Id: Ie06970f25a6ab0e08a8861d604b2177c8fd1d1a8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35326 Reviewed-by: Adam Langley <agl@google.com>
vor 5 Jahren · 1c71844ef5
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -195,6 +195,16 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
    unsigned char *to, *s;
    int i;

    /*
     * This function can handle lengths up to INT_MAX - 1, but the rest of the
     * legacy ASN.1 code mixes integer types, so avoid exposing it to
     * ASN1_INTEGERS with larger lengths.
     */
    if (len < 0 || len > INT_MAX / 2) {
        OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
        return NULL;
    }

    if ((a == NULL) || ((*a) == NULL)) {
        if ((ret = M_ASN1_INTEGER_new()) == NULL)
            return (NULL);