From 3b3b62f39c688e3b65735e9a14676f143c63a438 Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@google.com>
Date: Tue, 24 Jan 2017 16:06:20 -0800
Subject: [PATCH] X509_parse_from_buffer: reject massive certificates.

Otherwise we could pass a negative value into |d2i_X509|.

Change-Id: I52a35dd9648269094110b69eddd7667a56ec8253
Reviewed-on: https://boringssl-review.googlesource.com/13363
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
---
 crypto/x509/x_x509.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index d3cd5b0d..15118d29 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.] */
 
 #include <assert.h>
+#include <limits.h>
 #include <stdio.h>
 
 #include <openssl/asn1t.h>
@@ -151,6 +152,11 @@ IMPLEMENT_ASN1_FUNCTIONS(X509)
 IMPLEMENT_ASN1_DUP_FUNCTION(X509)
 
 X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf) {
+  if (CRYPTO_BUFFER_len(buf) > LONG_MAX) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
+    return 0;
+  }
+
   X509 *x509 = X509_new();
   if (x509 == NULL) {
     return NULL;