From ed44c785483d961996be1105c8471657b251bf1d Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 12 Feb 2022 03:07:24 +0000
Subject: Avoid potential single byte overread in asn1_parse2().

A fix for this was previously commited in r1.32, however while this added
a bounds check the logic means we still fall through and perform the
overread. Fix the logic such that we only log the error if the bounds check
fails. While here, flip the test around such that we check for validity then
print (which is more readable and matches earlier code).

ok inoguchi@ tb@
---
 src/lib/libcrypto/asn1/asn1_par.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c
index 2d1c7b2b48..6c14f271b6 100644
--- a/src/lib/libcrypto/asn1/asn1_par.c
+++ b/src/lib/libcrypto/asn1/asn1_par.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_par.c,v 1.33 2022/01/20 10:49:56 inoguchi Exp $ */
+/* $OpenBSD: asn1_par.c,v 1.34 2022/02/12 03:07:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -233,12 +233,13 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset,
 						goto end;
 				}
 			} else if (tag == V_ASN1_BOOLEAN) {
-				if (len != 1 || p >= tot) {
+				if (len == 1 && p < tot) {
+					BIO_printf(bp, ":%u", p[0]);
+				} else {
 					if (BIO_write(bp, "Bad boolean\n",
 					    12) <= 0)
 						goto end;
 				}
-				BIO_printf(bp, ":%u", p[0]);
 			} else if (tag == V_ASN1_BMPSTRING) {
 				/* do the BMP thang */
 			} else if (tag == V_ASN1_OCTET_STRING) {
-- 
cgit v1.2.3-55-g6feb