Fix an issue that might possibly turn into a DOS depending on

how application software uses the API function BIO_indent(3):

If the caller asks for some output, but not more than some negative
number of bytes, give them zero bytes of output rather than drowning
them in nearly INT_MAX bytes.

OK tb@

1 files changed, 3 insertions, 3 deletions

diff --git a/src/lib/libcrypto/bio/bio_lib.c b/src/lib/libcrypto/bio/bio_lib.c
index 05f0258947..85eb0f0c77 100644
--- a/src/lib/libcrypto/bio/bio_lib.c
+++ b/src/lib/libcrypto/bio/bio_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_lib.c,v 1.30 2021/10/24 13:46:56 tb Exp $ */
+/* $OpenBSD: bio_lib.c,v 1.31 2021/12/09 15:28:58 schwarze Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -391,10 +391,10 @@ BIO_gets(BIO *b, char *in, int inl)
 int
 BIO_indent(BIO *b, int indent, int max)
 {
-        if (indent < 0)
-                indent = 0;
         if (indent > max)
                 indent = max;
+        if (indent < 0)
+                indent = 0;
         while (indent--)
                 if (BIO_puts(b, " ") != 1)
                         return 0;