From 4681f1fa23cd9554370f01bf80dc21ea348dd551 Mon Sep 17 00:00:00 2001
From: inoguchi <>
Date: Fri, 14 Jan 2022 23:55:46 +0000
Subject: Avoid buffer overflow in asn1_parse2

asn1_par.c r1.29 changed to access p[0] directly, and this pointer could be
overrun since ASN1_get_object advances pointer to the first content octet.
In case invalid ASN1 Boolean data, it has length but no content, I thought
this could be happen.
Adding check p with tot (diff below) will avoid this failure.

Reported by oss-fuzz 43633 and 43648(later)

ok tb@
---
 src/lib/libcrypto/asn1/asn1_par.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c
index aec71d3be9..e9fe52021c 100644
--- a/src/lib/libcrypto/asn1/asn1_par.c
+++ b/src/lib/libcrypto/asn1/asn1_par.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_par.c,v 1.31 2021/12/25 13:17:48 jsing Exp $ */
+/* $OpenBSD: asn1_par.c,v 1.32 2022/01/14 23:55:46 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -232,7 +232,7 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset,
 						goto end;
 				}
 			} else if (tag == V_ASN1_BOOLEAN) {
-				if (len != 1) {
+				if (len != 1 || p >= tot) {
 					if (BIO_write(bp, "Bad boolean\n",
 					    12) <= 0)
 						goto end;
-- 
cgit v1.2.3-55-g6feb