提交 56f9953c 编写于 作者: D Dr. Stephen Henson

Check for overlows and error return from ASN1_object_size()

Reviewed-by: NRichard Levitte <levitte@openssl.org>
上级 e9f17097
...@@ -26,7 +26,7 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) ...@@ -26,7 +26,7 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
return (0); return (0);
objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT); objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT);
if (pp == NULL) if (pp == NULL || objsize == -1)
return objsize; return objsize;
p = *pp; p = *pp;
......
...@@ -153,17 +153,19 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, ...@@ -153,17 +153,19 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
const ASN1_TEMPLATE *seqtt; const ASN1_TEMPLATE *seqtt;
ASN1_VALUE **pseqval; ASN1_VALUE **pseqval;
int tmplen;
seqtt = asn1_do_adb(pval, tt, 1); seqtt = asn1_do_adb(pval, tt, 1);
if (!seqtt) if (!seqtt)
return 0; return 0;
pseqval = asn1_get_field_ptr(pval, seqtt); pseqval = asn1_get_field_ptr(pval, seqtt);
/* FIXME: check for errors in enhanced version */ tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, aclass);
seqcontlen += asn1_template_ex_i2d(pseqval, NULL, seqtt, if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen))
-1, aclass); return -1;
seqcontlen += tmplen;
} }
seqlen = ASN1_object_size(ndef, seqcontlen, tag); seqlen = ASN1_object_size(ndef, seqcontlen, tag);
if (!out) if (!out || seqlen == -1)
return seqlen; return seqlen;
/* Output SEQUENCE header */ /* Output SEQUENCE header */
ASN1_put_object(out, ndef, seqcontlen, tag, aclass); ASN1_put_object(out, ndef, seqcontlen, tag, aclass);
...@@ -280,19 +282,24 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, ...@@ -280,19 +282,24 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
/* Determine total length of items */ /* Determine total length of items */
skcontlen = 0; skcontlen = 0;
for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) { for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
int tmplen;
skitem = sk_ASN1_VALUE_value(sk, i); skitem = sk_ASN1_VALUE_value(sk, i);
skcontlen += ASN1_item_ex_i2d(&skitem, NULL, tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item),
ASN1_ITEM_ptr(tt->item),
-1, iclass); -1, iclass);
if (tmplen == -1 || (skcontlen > INT_MAX - tmplen))
return -1;
skcontlen += tmplen;
} }
sklen = ASN1_object_size(ndef, skcontlen, sktag); sklen = ASN1_object_size(ndef, skcontlen, sktag);
if (sklen == -1)
return -1;
/* If EXPLICIT need length of surrounding tag */ /* If EXPLICIT need length of surrounding tag */
if (flags & ASN1_TFLG_EXPTAG) if (flags & ASN1_TFLG_EXPTAG)
ret = ASN1_object_size(ndef, sklen, ttag); ret = ASN1_object_size(ndef, sklen, ttag);
else else
ret = sklen; ret = sklen;
if (!out) if (!out || ret == -1)
return ret; return ret;
/* Now encode this lot... */ /* Now encode this lot... */
...@@ -321,7 +328,7 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, ...@@ -321,7 +328,7 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
return 0; return 0;
/* Find length of EXPLICIT tag */ /* Find length of EXPLICIT tag */
ret = ASN1_object_size(ndef, i, ttag); ret = ASN1_object_size(ndef, i, ttag);
if (out) { if (out && ret != -1) {
/* Output tag and item */ /* Output tag and item */
ASN1_put_object(out, ndef, i, ttag, tclass); ASN1_put_object(out, ndef, i, ttag, tclass);
ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass); ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册