Reject long inputs in c2i_ASN1_INTEGER.
Thanks to mlbrown for reporting this.
Bug: chromium:942269
Change-Id: Ie06970f25a6ab0e08a8861d604b2177c8fd1d1a8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35326
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 0522e9f..7b483f2 100644
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -195,6 +195,16 @@
unsigned char *to, *s;
int i;
+ /*
+ * This function can handle lengths up to INT_MAX - 1, but the rest of the
+ * legacy ASN.1 code mixes integer types, so avoid exposing it to
+ * ASN1_INTEGERS with larger lengths.
+ */
+ if (len < 0 || len > INT_MAX / 2) {
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
+ return NULL;
+ }
+
if ((a == NULL) || ((*a) == NULL)) {
if ((ret = M_ASN1_INTEGER_new()) == NULL)
return (NULL);