Prevent OOB in SRP base64 code.

Change size comparison from > (GT) to >= (GTE) to ensure an additional byte of output buffer, to prevent OOB reads/writes later in the function Reject input strings larger than 2GB Detect invalid output buffer size and return early Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2672)

Prevent OOB in SRP base64 code.
Change size comparison from > (GT) to >= (GTE) to ensure an additional byte of output buffer, to prevent OOB reads/writes later in the function Reject input strings larger than 2GB Detect invalid output buffer size and return early Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2672)
ecca1663 · Rich Salz · 9dd4ac8c · ecca1663
隐藏空白更改
内联并排

Showing with 5 addition and 2 deletion

crypto/srp/srp_vfy.c crypto/srp/srp_vfy.c +5 -2

未找到文件。
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -36,10 +36,13 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src)
    int i, j;
    int size;

+    if (alen == 0 || alen > INT_MAX)
+        return -1;
+
    while (*src && (*src == ' ' || *src == '\t' || *src == '\n'))
        ++src;
    size = strlen(src);
-    if (alen > INT_MAX || size > (int)alen)
+    if (size < 0 || size >= (int)alen)
        return -1;

    i = 0;
@@ -77,7 +80,7 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src)
        if (--i < 0)
            break;
    }
-    while (a[j] == 0 && j <= size)
+    while (j <= size && a[j] == 0)
        ++j;
    i = 0;
    while (j <= size)