Reject long inputs in c2i_ASN1_INTEGER. Thanks to mlbrown for reporting this. Bug: chromium:942269 Change-Id: Ie06970f25a6ab0e08a8861d604b2177c8fd1d1a8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35326 Reviewed-by: Adam Langley <agl@google.com>

commit: 1c71844ef5538877714d7220f17f4230ae0b896d [log] [tgz]
author: David Benjamin <davidben@google.com> Thu Mar 14 18:35:59 2019 -0500
committer: Adam Langley <agl@google.com> Mon Mar 18 17:19:52 2019 +0000
tree: cadd29819aa89f03aadb1a3aa20cc94e9aba8550
parent: 0dcab9302f6e534e8af1cf3b8b402c9671421531 [diff]
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 0522e9f..7b483f2 100644
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c

@@ -195,6 +195,16 @@
     unsigned char *to, *s;
     int i;
 
+    /*
+     * This function can handle lengths up to INT_MAX - 1, but the rest of the
+     * legacy ASN.1 code mixes integer types, so avoid exposing it to
+     * ASN1_INTEGERS with larger lengths.
+     */
+    if (len < 0 || len > INT_MAX / 2) {
+        OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
+        return NULL;
+    }
+
     if ((a == NULL) || ((*a) == NULL)) {
         if ((ret = M_ASN1_INTEGER_new()) == NULL)
             return (NULL);
commit	1c71844ef5538877714d7220f17f4230ae0b896d	[log] [tgz]
author	David Benjamin <davidben@google.com>	Thu Mar 14 18:35:59 2019 -0500
committer	Adam Langley <agl@google.com>	Mon Mar 18 17:19:52 2019 +0000
tree	cadd29819aa89f03aadb1a3aa20cc94e9aba8550
parent	0dcab9302f6e534e8af1cf3b8b402c9671421531 [diff]