From 0757e0fdcc16f903467fb60ce960a41f09cb62d6 Mon Sep 17 00:00:00 2001
From: djm <>
Date: Sun, 22 Apr 2012 01:38:24 +0000
Subject: MFC

mem.c
revision 1.14
date: 2012/04/19 22:57:38;  author: djm;  state: Exp;  lines: +4 -0
cherrypick fix for CVE-2012-2110: libcrypto ASN.1 parsing heap overflow
ok miod@ deraadt@

asn1/a_d2i_fp.c
revision 1.6
date: 2012/04/19 22:57:38;  author: djm;  state: Exp;  lines: +40 -14
cherrypick fix for CVE-2012-2110: libcrypto ASN.1 parsing heap overflow
ok miod@ deraadt@

buffer/buffer.c
revision 1.9
date: 2012/04/19 22:57:38;  author: djm;  state: Exp;  lines: +17 -0
cherrypick fix for CVE-2012-2110: libcrypto ASN.1 parsing heap overflow
ok miod@ deraadt@
---
 src/lib/libcrypto/mem.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/lib/libcrypto')

diff --git a/src/lib/libcrypto/mem.c b/src/lib/libcrypto/mem.c
index 8f06d190a1..9ecb8d26b1 100644
--- a/src/lib/libcrypto/mem.c
+++ b/src/lib/libcrypto/mem.c
@@ -362,6 +362,10 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
 
 	if (num <= 0) return NULL;
 
+	/* We don't support shrinking the buffer. Note the memcpy that copies
+	 * |old_len| bytes to the new buffer, below. */
+	if (num < old_len) return NULL;
+
 	if (realloc_debug_func != NULL)
 		realloc_debug_func(str, NULL, num, file, line, 0);
 	ret=malloc_ex_func(num,file,line);
-- 
cgit v1.2.3-55-g6feb