diff --git a/apps/asn1parse.c b/apps/asn1parse.c index f0bfd1d45fc4233f2f10d821d5dbc95f84ff8f2d..26958fd15346b517829fc3796648d1d363e804bf 100644 --- a/apps/asn1parse.c +++ b/apps/asn1parse.c @@ -217,6 +217,9 @@ int asn1parse_main(int argc, char **argv) i = BIO_read(in, &(buf->data[num]), BUFSIZ); if (i <= 0) break; + /* make sure num doesn't overflow */ + if (i > LONG_MAX - num) + goto end; num += i; } } diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 22dea873eeba566e398829f5d7602ef4ba9f2724..817413c9bf1dd6c5cfa4720a779b21ee772e94b6 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -139,9 +139,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, if (*out) { free_out = 0; dest = *out; - OPENSSL_free(dest->data); - dest->data = NULL; - dest->length = 0; + ASN1_STRING_set0(dest, NULL, 0); dest->type = str_type; } else { free_out = 1; @@ -155,6 +153,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, /* If both the same type just copy across */ if (inform == outform) { if (!ASN1_STRING_set(dest, in, len)) { + if (free_out) { + ASN1_STRING_free(dest); + *out = NULL; + } ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return -1; } @@ -185,8 +187,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, break; } if ((p = OPENSSL_malloc(outlen + 1)) == NULL) { - if (free_out) + if (free_out) { ASN1_STRING_free(dest); + *out = NULL; + } ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return -1; } diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index b31761aae6f52c1f9e75acea646b24a0f71942bd..f61612737a90f8b50ee85379a0aab6b709017a2e 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -10,6 +10,7 @@ #include #include #include "internal/cryptlib.h" +#include "internal/sizes.h" #include "crypto/asn1.h" #include #include @@ -345,8 +346,10 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, if (lflags & ASN1_STRFLGS_SHOW_TYPE) { const char *tagname; + tagname = ASN1_tag2str(type); - outlen += strlen(tagname); + /* We can directly cast here as tagname will never be too large. */ + outlen += (int)strlen(tagname); if (!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1)) return -1; outlen++; @@ -372,7 +375,7 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, if (type == -1) { len = do_dump(lflags, io_ch, arg, str); - if (len < 0) + if (len < 0 || len > INT_MAX - outlen) return -1; outlen += len; return outlen; @@ -391,7 +394,7 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, } len = do_buf(str->data, str->length, type, flags, "es, io_ch, NULL); - if (len < 0) + if (len < 0 || len > INT_MAX - 2 - outlen) return -1; outlen += len; if (quotes) diff --git a/crypto/bio/bf_readbuff.c b/crypto/bio/bf_readbuff.c index 135ccef83bf3c425729c7c2503ecd8128e69d5b7..62490b9a2b36987e63e8d7e7a063e985ffd73ed8 100644 --- a/crypto/bio/bf_readbuff.c +++ b/crypto/bio/bf_readbuff.c @@ -222,10 +222,13 @@ static int readbuffer_gets(BIO *b, char *buf, int size) char *p; int i, j; - if (size == 0) + if (buf == NULL || size == 0) return 0; --size; /* the passed in size includes the terminator - so remove it here */ ctx = (BIO_F_BUFFER_CTX *)b->ptr; + + if (ctx == NULL || b->next_bio == NULL) + return 0; BIO_clear_retry_flags(b); /* If data is already buffered then use this first */ diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index 82f41637387b21ef75fb373a66d4780f21890ce9..86c322473ca54783cc531bf770a202f8c73ff5ff 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -16,6 +16,7 @@ # include #endif +#include "e_os.h" #include "internal/cryptlib.h" #include @@ -208,8 +209,16 @@ int RAND_write_file(const char *file) * should be restrictive from the start */ int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600); - if (fd != -1) + + if (fd != -1) { out = fdopen(fd, "wb"); + if (out == NULL) { + close(fd); + ERR_raise_data(ERR_LIB_RAND, RAND_R_CANNOT_OPEN_FILE, + "Filename=%s", file); + return -1; + } + } } #endif