kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Handle overflow in ascii_to_ucs2.

Browse Source 
Change-Id: Ie9a0039931a1a8d48a82c11ef5c58d6ee084ca4c
Reviewed-on: https://boringssl-review.googlesource.com/13070
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <alangley@gmail.com>
This commit is contained in:
David Benjamin 2017-01-01 04:13:31 -05:00 committed by Adam Langley
parent 9d0e7fb6e7
commit 7f539fa008
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
crypto/pkcs8/pkcs8.c
View File

@ -82,23 +82,21 @@
static int ascii_to_ucs2(const char *ascii, size_t ascii_len, static int ascii_to_ucs2(const char *ascii, size_t ascii_len,
uint8_t **out, size_t *out_len) { uint8_t **out, size_t *out_len) {
uint8_t *unitmp; size_t ulen = ascii_len * 2 + 2;
size_t ulen, i; if (ascii_len * 2 < ascii_len || ulen < ascii_len * 2) {
ulen = ascii_len * 2 + 2;
if (ulen < ascii_len) {
return 0; return 0;
} }
unitmp = OPENSSL_malloc(ulen);
uint8_t *unitmp = OPENSSL_malloc(ulen);
if (unitmp == NULL) { if (unitmp == NULL) {
return 0; return 0;
} }
for (i = 0; i < ulen - 2; i += 2) { for (size_t i = 0; i < ulen - 2; i += 2) {
unitmp[i] = 0; unitmp[i] = 0;
unitmp[i + 1] = ascii[i >> 1]; unitmp[i + 1] = ascii[i >> 1];
} }
/* Make result double null terminated */ /* Terminate the result with a UCS-2 NUL. */
unitmp[ulen - 2] = 0; unitmp[ulen - 2] = 0;
unitmp[ulen - 1] = 0; unitmp[ulen - 1] = 0;
*out_len = ulen; *out_len = ulen;