Avoid buffer overflow in asn1_parse2

asn1_par.c r1.29 changed to access p[0] directly, and this pointer could be overrun since ASN1_get_object advances pointer to the first content octet. In case invalid ASN1 Boolean data, it has length but no content, I thought this could be happen. Adding check p with tot (diff below) will avoid this failure. Reported by oss-fuzz 43633 and 43648(later) ok tb@
author: inoguchi <> 2022-01-14 23:55:46 +0000
committer: inoguchi <> 2022-01-14 23:55:46 +0000
commit: 4681f1fa23cd9554370f01bf80dc21ea348dd551 (patch)
tree: 033ed9076d9786371759261ed6d2b66d6c5e43eb /src
parent: c3859c4619d6925f8bcd2fd29e2681491ff60fc4 (diff)
download: openbsd-4681f1fa23cd9554370f01bf80dc21ea348dd551.tar.gz
openbsd-4681f1fa23cd9554370f01bf80dc21ea348dd551.tar.bz2
openbsd-4681f1fa23cd9554370f01bf80dc21ea348dd551.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c
index aec71d3be9..e9fe52021c 100644
--- a/src/lib/libcrypto/asn1/asn1_par.c
+++ b/src/lib/libcrypto/asn1/asn1_par.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_par.c,v 1.31 2021/12/25 13:17:48 jsing Exp $ */
+/* $OpenBSD: asn1_par.c,v 1.32 2022/01/14 23:55:46 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -232,7 +232,7 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset,
                                                goto end;
                                }
                        } else if (tag == V_ASN1_BOOLEAN) {
-                                if (len != 1) {
+                                if (len != 1 || p >= tot) {
                                        if (BIO_write(bp, "Bad boolean\n",
                                            12) <= 0)
                                                goto end;
author	inoguchi <>	2022-01-14 23:55:46 +0000
committer	inoguchi <>	2022-01-14 23:55:46 +0000
commit	4681f1fa23cd9554370f01bf80dc21ea348dd551 (patch)
tree	033ed9076d9786371759261ed6d2b66d6c5e43eb /src
parent	c3859c4619d6925f8bcd2fd29e2681491ff60fc4 (diff)
download	openbsd-4681f1fa23cd9554370f01bf80dc21ea348dd551.tar.gz openbsd-4681f1fa23cd9554370f01bf80dc21ea348dd551.tar.bz2 openbsd-4681f1fa23cd9554370f01bf80dc21ea348dd551.zip

diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c index aec71d3be9..e9fe52021c 100644 --- a/src/lib/libcrypto/asn1/asn1_par.c +++ b/src/lib/libcrypto/asn1/asn1_par.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: asn1_par.c,v 1.31 2021/12/25 13:17:48 jsing Exp $ */	1	/* $OpenBSD: asn1_par.c,v 1.32 2022/01/14 23:55:46 inoguchi Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -232,7 +232,7 @@ asn1_parse2(BIO bp, const unsigned char *pp, long length, int offset,
232	goto end;	232	goto end;
233	}	233	}
234	} else if (tag == V_ASN1_BOOLEAN) {	234	} else if (tag == V_ASN1_BOOLEAN) {
235	if (len != 1) {	235	if (len != 1 \|\| p >= tot) {
236	if (BIO_write(bp, "Bad boolean\n",	236	if (BIO_write(bp, "Bad boolean\n",
237	12) <= 0)	237	12) <= 0)
238	goto end;	238	goto end;