diff options
Diffstat (limited to 'src/lib/libcrypto/pem/pem_lib.c')
-rw-r--r-- | src/lib/libcrypto/pem/pem_lib.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c index 1ebae53e74..e3629762f9 100644 --- a/src/lib/libcrypto/pem/pem_lib.c +++ b/src/lib/libcrypto/pem/pem_lib.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: pem_lib.c,v 1.35 2014/10/22 13:02:04 jsing Exp $ */ | 1 | /* $OpenBSD: pem_lib.c,v 1.36 2015/02/10 09:52:35 miod Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -389,7 +389,10 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x, | |||
389 | } | 389 | } |
390 | kstr = (unsigned char *)buf; | 390 | kstr = (unsigned char *)buf; |
391 | } | 391 | } |
392 | OPENSSL_assert(enc->iv_len <= (int)sizeof(iv)); | 392 | if ((size_t)enc->iv_len > sizeof(iv)) { |
393 | PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, EVP_R_IV_TOO_LARGE); | ||
394 | goto err; | ||
395 | } | ||
393 | arc4random_buf(iv, enc->iv_len); /* Generate a salt */ | 396 | arc4random_buf(iv, enc->iv_len); /* Generate a salt */ |
394 | /* The 'iv' is used as the iv and as a salt. It is | 397 | /* The 'iv' is used as the iv and as a salt. It is |
395 | * NOT taken from the BytesToKey function */ | 398 | * NOT taken from the BytesToKey function */ |
@@ -400,8 +403,11 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x, | |||
400 | if (kstr == (unsigned char *)buf) | 403 | if (kstr == (unsigned char *)buf) |
401 | OPENSSL_cleanse(buf, PEM_BUFSIZE); | 404 | OPENSSL_cleanse(buf, PEM_BUFSIZE); |
402 | 405 | ||
403 | OPENSSL_assert(strlen(objstr) + 23 + | 406 | if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 > sizeof buf) { |
404 | 2 * enc->iv_len + 13 <= sizeof buf); | 407 | PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, |
408 | ASN1_R_BUFFER_TOO_SMALL); | ||
409 | goto err; | ||
410 | } | ||
405 | 411 | ||
406 | buf[0] = '\0'; | 412 | buf[0] = '\0'; |
407 | PEM_proc_type(buf, PEM_TYPE_ENCRYPTED); | 413 | PEM_proc_type(buf, PEM_TYPE_ENCRYPTED); |