Check for overflow in CBB_add_u24.

All other CBB_add_u<N> functions take a narrowed type, but not every
uint32_t may fit in a u24. Check for this rather than silently truncate.

Change-Id: I23879ad0f4d2934f257e39e795cf93c6e3e878bf
Reviewed-on: https://boringssl-review.googlesource.com/8940
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

crypto/bytestring/bytestring_test.cc

@@ -852,6 +852,24 @@ static bool TestStickyError() {
     return false;
   }
 
+  // Write a u32 that cannot fit in a u24.
+  cbb.Reset();
+  if (!CBB_init(cbb.get(), 0)) {
+    return false;
+  }
+
+  if (CBB_add_u24(cbb.get(), 1u << 24)) {
+    fprintf(stderr, "CBB_add_u24 unexpectedly succeeded.\n");
+    return false;
+  }
+
+  // All future operations should fail.
+  if (CBB_add_u8(cbb.get(), 0) ||
+      CBB_finish(cbb.get(), &ptr, &len)) {
+    fprintf(stderr, "Future operations unexpectedly succeeded.\n");
+    return false;
+  }
+
   return true;
 }
 

crypto/bytestring/cbb.c

@@ -156,6 +156,12 @@ static int cbb_buffer_add_u(struct cbb_buffer_st *base, uint32_t v,
     buf[i] = v;
     v >>= 8;
   }
+
+  if (v != 0) {
+    base->error = 1;
+    return 0;
+  }
+
   return 1;
 }