Reject long inputs in c2i_ASN1_INTEGER.

Thanks to mlbrown for reporting this.

Bug: chromium:942269
Change-Id: Ie06970f25a6ab0e08a8861d604b2177c8fd1d1a8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35326
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2019-03-14 18:35:59 -05:00 committed by Adam Langley
parent 0dcab9302f
commit 1c71844ef5

View File

@ -195,6 +195,16 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
unsigned char *to, *s;
int i;
/*
* This function can handle lengths up to INT_MAX - 1, but the rest of the
* legacy ASN.1 code mixes integer types, so avoid exposing it to
* ASN1_INTEGERS with larger lengths.
*/
if (len < 0 || len > INT_MAX / 2) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
return NULL;
}
if ((a == NULL) || ((*a) == NULL)) {
if ((ret = M_ASN1_INTEGER_new()) == NULL)
return (NULL);