apply patches from OpenSSL Security Advisory [30 July 2002],

http://marc.theaimsgroup.com/?l=openssl-dev&m=102802395104110&w=2

1 files changed, 6 insertions, 4 deletions

diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index 830ff2af3c..fd8e77044e 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -123,15 +123,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
                 (int)(omax+ *pp));
 
 #endif
-#if 0
-        if ((p+ *plength) > (omax+ *pp))
+        if (*plength > (omax - (*pp - p)))
                 {
                 ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
                 /* Set this so that even if things are not long enough
                  * the values are set correctly */
                 ret|=0x80;
                 }
-#endif
         *pp=p;
         return(ret|inf);
 err:
@@ -158,6 +156,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
                 i= *p&0x7f;
                 if (*(p++) & 0x80)
                         {
+                        if (i > sizeof(long))
+                                return 0;
                         if (max-- == 0) return(0);
                         while (i-- > 0)
                                 {
@@ -169,6 +169,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
                 else
                         ret=i;
                 }
+        if (ret < 0)
+                return 0;
         *pp=p;
         *rl=ret;
         return(1);
@@ -406,7 +408,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
 
 void asn1_add_error(unsigned char *address, int offset)
         {
-        char buf1[16],buf2[16];
+        char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 
         sprintf(buf1,"%lu",(unsigned long)address);
         sprintf(buf2,"%d",offset);