From 9b082e3d93019c6ea59a61073a6eba48ace641b8 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 11 Dec 2024 11:22:06 +0000
Subject: Avoid an oob access in asn1_item_free()

As explained in a comment, this needs to loop backwards and the last tt--
ends up pointing at &it->templates[-1], which isn't ok. Use a simple way
of looping, which is also ugly and involves some type confusion as pointed
out by claudio. However, type confusion is common in libcrypto's asn1 code
and won't be fixed anytime soon anyway.

ok jsing
---
 src/lib/libcrypto/asn1/tasn_fre.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/asn1/tasn_fre.c b/src/lib/libcrypto/asn1/tasn_fre.c
index 83c073b55d..0e259a13ab 100644
--- a/src/lib/libcrypto/asn1/tasn_fre.c
+++ b/src/lib/libcrypto/asn1/tasn_fre.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_fre.c,v 1.23 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_fre.c,v 1.24 2024/12/11 11:22:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -152,10 +152,9 @@ asn1_item_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 		 * determine the type of the field it defines. So
 		 * free up in reverse order.
 		 */
-		tt = it->templates + it->tcount - 1;
-		for (i = 0; i < it->tcount; tt--, i++) {
+		for (i = it->tcount - 1; i >= 0; i--) {
 			ASN1_VALUE **pseqval;
-			seqtt = asn1_do_adb(pval, tt, 0);
+			seqtt = asn1_do_adb(pval, &it->templates[i], 0);
 			if (!seqtt)
 				continue;
 			pseqval = asn1_get_field_ptr(pval, seqtt);
-- 
cgit v1.2.3-55-g6feb