From fc058410955c015c49e2b0bea7d294f5565009cf Mon Sep 17 00:00:00 2001
From: beck <>
Date: Wed, 2 Mar 2016 14:28:14 +0000
Subject: fix the rest of the read_ledword() calls used as lengths to be
 bounded. inspired by guido vranken
 https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/
 ok doug@

---
 src/lib/libcrypto/pem/pvkfmt.c         | 6 +++++-
 src/lib/libssl/src/crypto/pem/pvkfmt.c | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index c3fd0e8d0a..7a9045396c 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.15 2016/03/02 05:02:35 beck Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.16 2016/03/02 14:28:14 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -179,6 +179,10 @@ do_blob_header(const unsigned char **in, unsigned int length,
 	p += 6;
 	*pmagic = read_ledword(&p);
 	*pbitlen = read_ledword(&p);
+	if (*pbitlen > 65536) {
+		PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_INCONSISTENT_HEADER);
+		return 0;
+	}
 	*pisdss = 0;
 	switch (*pmagic) {
 
diff --git a/src/lib/libssl/src/crypto/pem/pvkfmt.c b/src/lib/libssl/src/crypto/pem/pvkfmt.c
index c3fd0e8d0a..7a9045396c 100644
--- a/src/lib/libssl/src/crypto/pem/pvkfmt.c
+++ b/src/lib/libssl/src/crypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.15 2016/03/02 05:02:35 beck Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.16 2016/03/02 14:28:14 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -179,6 +179,10 @@ do_blob_header(const unsigned char **in, unsigned int length,
 	p += 6;
 	*pmagic = read_ledword(&p);
 	*pbitlen = read_ledword(&p);
+	if (*pbitlen > 65536) {
+		PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_INCONSISTENT_HEADER);
+		return 0;
+	}
 	*pisdss = 0;
 	switch (*pmagic) {
 
-- 
cgit v1.2.3-55-g6feb