From 351c9db3f70cc53981f6bded371e0d6ffa33e580 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 26 May 2017 16:32:14 +0000
Subject: Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().

Reported by Robert Swiecki, who found the issue using honggfuzz.

ok bcook@
---
 src/lib/libcrypto/ec/ec_asn1.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index dddf71c6e5..b64b7e14d3 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1.c,v 1.23 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ec_asn1.c,v 1.24 2017/05/26 16:32:14 jsing Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -1390,8 +1390,14 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
 			ECerror(ERR_R_EC_LIB);
 			goto err;
 		}
+
 		pub_oct = ASN1_STRING_data(priv_key->publicKey);
 		pub_oct_len = ASN1_STRING_length(priv_key->publicKey);
+		if (pub_oct == NULL || pub_oct_len <= 0) {
+			ECerror(EC_R_BUFFER_TOO_SMALL);
+			goto err;
+		}
+
 		/* save the point conversion form */
 		ret->conv_form = (point_conversion_form_t) (pub_oct[0] & ~0x01);
 		if (!EC_POINT_oct2point(ret->group, ret->pub_key,
-- 
cgit v1.2.3-55-g6feb