diff options
| author | jsing <> | 2022-10-17 18:26:41 +0000 |
|---|---|---|
| committer | jsing <> | 2022-10-17 18:26:41 +0000 |
| commit | 12051870b7613e05090211a9b7c5ff1483462bee (patch) | |
| tree | 260c1f65cd3e34bd39f0477a5d06036c3d4e2b78 /src | |
| parent | 68426a72f66e5fdfe8e6dcf8c4403a3b85fdf7b2 (diff) | |
| download | openbsd-12051870b7613e05090211a9b7c5ff1483462bee.tar.gz openbsd-12051870b7613e05090211a9b7c5ff1483462bee.tar.bz2 openbsd-12051870b7613e05090211a9b7c5ff1483462bee.zip | |
Avoid potential divide by zero in BIO_dump_indent_cb()
Passing an indent value of 67 results in DUMP_WIDTH_LESS_IDENT returning a
value of zero, which is promptly used for division. Likewise, passing a
value larger than 67 results in a negative value being returned.
Prevent this by limiting indent to 64 (which matches OpenSSL's current
behaviour), as well as ensuring that dump_width is > 0.
Should fix oss-fuzz #52464 and #52467.
ok miod@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/bio/b_dump.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/src/lib/libcrypto/bio/b_dump.c b/src/lib/libcrypto/bio/b_dump.c index 7e1c2d7947..61a83fc44b 100644 --- a/src/lib/libcrypto/bio/b_dump.c +++ b/src/lib/libcrypto/bio/b_dump.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: b_dump.c,v 1.22 2021/07/11 20:18:07 beck Exp $ */ | 1 | /* $OpenBSD: b_dump.c,v 1.23 2022/10/17 18:26:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -80,11 +80,11 @@ int | |||
| 80 | BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), | 80 | BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), |
| 81 | void *u, const char *s, int len, int indent) | 81 | void *u, const char *s, int len, int indent) |
| 82 | { | 82 | { |
| 83 | int ret = 0; | ||
| 84 | char buf[288 + 1], tmp[20], str[128 + 1]; | 83 | char buf[288 + 1], tmp[20], str[128 + 1]; |
| 85 | int i, j, rows, trc, written; | 84 | int i, j, rows, trc, written; |
| 86 | unsigned char ch; | 85 | unsigned char ch; |
| 87 | int dump_width; | 86 | int dump_width; |
| 87 | int ret = 0; | ||
| 88 | 88 | ||
| 89 | trc = 0; | 89 | trc = 0; |
| 90 | 90 | ||
| @@ -95,14 +95,13 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), | |||
| 95 | 95 | ||
| 96 | if (indent < 0) | 96 | if (indent < 0) |
| 97 | indent = 0; | 97 | indent = 0; |
| 98 | if (indent) { | 98 | if (indent > 64) |
| 99 | if (indent > 128) | 99 | indent = 64; |
| 100 | indent = 128; | 100 | memset(str, ' ', indent); |
| 101 | memset(str, ' ', indent); | ||
| 102 | } | ||
| 103 | str[indent] = '\0'; | 101 | str[indent] = '\0'; |
| 104 | 102 | ||
| 105 | dump_width = DUMP_WIDTH_LESS_INDENT(indent); | 103 | if ((dump_width = DUMP_WIDTH_LESS_INDENT(indent)) <= 0) |
| 104 | return -1; | ||
| 106 | rows = (len / dump_width); | 105 | rows = (len / dump_width); |
| 107 | if ((rows * dump_width) < len) | 106 | if ((rows * dump_width) < len) |
| 108 | rows++; | 107 | rows++; |