diff options
| author | tb <> | 2022-08-10 16:51:26 +0000 |
|---|---|---|
| committer | tb <> | 2022-08-10 16:51:26 +0000 |
| commit | f2180ecff31e646ade77376f9c1694e54f7f8d32 (patch) | |
| tree | 1fe6fb883559ad685757c640bcbb34f9b507b7d8 /src | |
| parent | 07a8d75b5ae234230be00fa0617d05fd80787b7a (diff) | |
| download | openbsd-f2180ecff31e646ade77376f9c1694e54f7f8d32.tar.gz openbsd-f2180ecff31e646ade77376f9c1694e54f7f8d32.tar.bz2 openbsd-f2180ecff31e646ade77376f9c1694e54f7f8d32.zip | |
Avoid signed integer overflow due to unary negation
The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes
oss-fuzz #49944
with/ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/asn1/t_x509.c | 20 |
1 files changed, 8 insertions, 12 deletions
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c index abcce54366..b2fd80b559 100644 --- a/src/lib/libcrypto/asn1/t_x509.c +++ b/src/lib/libcrypto/asn1/t_x509.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t_x509.c,v 1.38 2022/08/10 11:15:08 tb Exp $ */ | 1 | /* $OpenBSD: t_x509.c,v 1.39 2022/08/10 16:51:26 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -118,7 +118,6 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) | |||
| 118 | X509_CINF *ci; | 118 | X509_CINF *ci; |
| 119 | ASN1_INTEGER *bs; | 119 | ASN1_INTEGER *bs; |
| 120 | EVP_PKEY *pkey = NULL; | 120 | EVP_PKEY *pkey = NULL; |
| 121 | const char *neg; | ||
| 122 | 121 | ||
| 123 | if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { | 122 | if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { |
| 124 | mlch = '\n'; | 123 | mlch = '\n'; |
| @@ -155,18 +154,15 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) | |||
| 155 | l = -1; | 154 | l = -1; |
| 156 | if (bs->length <= (int)sizeof(long)) | 155 | if (bs->length <= (int)sizeof(long)) |
| 157 | l = ASN1_INTEGER_get(bs); | 156 | l = ASN1_INTEGER_get(bs); |
| 158 | if (l != -1) { | 157 | if (l >= 0) { |
| 159 | if (bs->type == V_ASN1_NEG_INTEGER) { | 158 | if (BIO_printf(bp, " %ld (0x%lx)\n", l, l) <= 0) |
| 160 | l = -l; | ||
| 161 | neg = "-"; | ||
| 162 | } else | ||
| 163 | neg = ""; | ||
| 164 | if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", | ||
| 165 | neg, l, neg, l) <= 0) | ||
| 166 | goto err; | 159 | goto err; |
| 167 | } else { | 160 | } else { |
| 168 | neg = (bs->type == V_ASN1_NEG_INTEGER) ? | 161 | const char *neg = ""; |
| 169 | " (Negative)" : ""; | 162 | |
| 163 | if (bs->type == V_ASN1_NEG_INTEGER) | ||
| 164 | neg = " (Negative)"; | ||
| 165 | |||
| 170 | if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) | 166 | if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) |
| 171 | goto err; | 167 | goto err; |
| 172 | for (i = 0; i < bs->length; i++) { | 168 | for (i = 0; i < bs->length; i++) { |