8 files changed, 31 insertions, 17 deletions

diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
index e8a26af521..208b3ec395 100644
--- a/src/lib/libcrypto/asn1/a_mbstr.c
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -145,14 +145,14 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 
         if((minsize > 0) && (nchar < minsize)) {
                 ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
-                sprintf(strbuf, "%ld", minsize);
+                BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize);
                 ERR_add_error_data(2, "minsize=", strbuf);
                 return -1;
         }
 
         if((maxsize > 0) && (nchar > maxsize)) {
                 ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
-                sprintf(strbuf, "%ld", maxsize);
+                BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize);
                 ERR_add_error_data(2, "maxsize=", strbuf);
                 return -1;
         }
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 8abfdfe598..bde666a6ff 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -285,7 +285,7 @@ const static signed char tag2nbyte[] = {
         -1, -1, 0, -1,          /* 10-13 */
         -1, -1, -1, -1,         /* 15-17 */
         -1, 1, 1,               /* 18-20 */
-        -1, 1, -1,-1,           /* 21-24 */
+        -1, 1, 1, 1,            /* 21-24 */
         -1, 1, -1,              /* 25-27 */
         4, -1, 2                /* 28-30 */
 };
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index 7348da9457..159681fbcb 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -128,6 +128,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
         {
         ASN1_GENERALIZEDTIME *ret;
         char *str;
+        int newlen;
 
         if (!ASN1_TIME_check(t)) return NULL;
 
@@ -150,12 +151,14 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
         /* grow the string */
         if (!ASN1_STRING_set(ret, NULL, t->length + 2))
                 return NULL;
+        /* ASN1_STRING_set() allocated 'len + 1' bytes. */
+        newlen = t->length + 2 + 1;
         str = (char *)ret->data;
         /* Work out the century and prepend */
-        if (t->data[0] >= '5') strcpy(str, "19");
-        else strcpy(str, "20");
+        if (t->data[0] >= '5') BUF_strlcpy(str, "19", newlen);
+        else BUF_strlcpy(str, "20", newlen);
 
-        BUF_strlcat(str, (char *)t->data, t->length+3); /* Include space for a '\0' */
+        BUF_strlcat(str, (char *)t->data, newlen);
 
         return ret;
         }
diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index e30d5dd303..a74f1368d3 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -414,8 +414,8 @@ void asn1_add_error(unsigned char *address, int offset)
         {
         char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 
-        sprintf(buf1,"%lu",(unsigned long)address);
-        sprintf(buf2,"%d",offset);
+        BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address);
+        BIO_snprintf(buf2,sizeof buf2,"%d",offset);
         ERR_add_error_data(4,"address=",buf1," offset=",buf2);
         }
 
diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c
index e48532a24d..676d434f03 100644
--- a/src/lib/libcrypto/asn1/asn1_par.c
+++ b/src/lib/libcrypto/asn1/asn1_par.c
@@ -83,11 +83,11 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
 
         p=str;
         if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
-                sprintf(str,"priv [ %d ] ",tag);
+                BIO_snprintf(str,sizeof str,"priv [ %d ] ",tag);
         else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
-                sprintf(str,"cont [ %d ]",tag);
+                BIO_snprintf(str,sizeof str,"cont [ %d ]",tag);
         else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
-                sprintf(str,"appl [ %d ]",tag);
+                BIO_snprintf(str,sizeof str,"appl [ %d ]",tag);
         else p = ASN1_tag2str(tag);
 
         if (p2 != NULL)
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
index be20db4bad..edb44c988f 100644
--- a/src/lib/libcrypto/asn1/asn_moid.c
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -87,9 +87,14 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
                         }
                 }
         return 1;
-}
+        }
+
+static void oid_module_finish(CONF_IMODULE *md)
+        {
+        OBJ_cleanup();
+        }
 
 void ASN1_add_oid_module(void)
         {
-        CONF_module_add("oid_section", oid_module_init, 0);
+        CONF_module_add("oid_section", oid_module_init, oid_module_finish);
         }
diff --git a/src/lib/libcrypto/asn1/t_pkey.c b/src/lib/libcrypto/asn1/t_pkey.c
index 4e09c9e44e..d15006e654 100644
--- a/src/lib/libcrypto/asn1/t_pkey.c
+++ b/src/lib/libcrypto/asn1/t_pkey.c
@@ -139,9 +139,9 @@ int RSA_print(BIO *bp, const RSA *x, int off)
                 }
 
         if (x->d == NULL)
-                sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n));
+                BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n));
         else
-                strcpy(str,"modulus:");
+                BUF_strlcpy(str,"modulus:",sizeof str);
         if (!print(bp,str,x->n,m,off)) goto err;
         s=(x->d == NULL)?"Exponent:":"publicExponent:";
         if (!print(bp,s,x->e,m,off)) goto err;
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
index c04b192794..c5f25956cb 100644
--- a/src/lib/libcrypto/asn1/x_long.c
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -104,7 +104,12 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const A
         long ltmp;
         unsigned long utmp;
         int clen, pad, i;
-        ltmp = *(long *)pval;
+        /* this exists to bypass broken gcc optimization */
+        char *cp = (char *)pval;
+
+        /* use memcpy, because we may not be long aligned */
+        memcpy(&ltmp, cp, sizeof(long));
+
         if(ltmp == it->size) return -1;
         /* Convert the long to positive: we subtract one if negative so
          * we can cleanly handle the padding if only the MSB of the leading
@@ -136,6 +141,7 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype,
         int neg, i;
         long ltmp;
         unsigned long utmp = 0;
+        char *cp = (char *)pval;
         if(len > sizeof(long)) {
                 ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
                 return 0;
@@ -158,6 +164,6 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype,
                 ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
                 return 0;
         }
-        *(long *)pval = ltmp;
+        memcpy(cp, &ltmp, sizeof(long));
         return 1;
 }