Check for overflow in i2c_ASN1_BIT_STRING. Should the string be INT_MAX, we cannot actually represent the output length. i2c_ASN1_INTEGER and ASN1_object_size have checks this, but this was missing it. Change-Id: I7cf5debb87568b876f3799308ef4ad6d2b1ff7e6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55085 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>

commit: eeb3333f44cf0a8b0a1018dcfca54c72d8c4a3a3 [log] [tgz]
author: David Benjamin <davidben@google.com> Sun Nov 06 16:18:47 2022 +0000
committer: Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Nov 07 12:28:40 2022 +0000
tree: 5e90541e22c1d59a0580edf4546fd81551686025
parent: 38f621a3667afca1262ce3b9390ef5a23042ff19 [diff]
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 9c50857..c67efeb 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c

@@ -115,6 +115,10 @@
 
   uint8_t bits;
   int len = asn1_bit_string_length(a, &bits);
+  if (len > INT_MAX - 1) {
+    OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW);
+    return 0;
+  }
   int ret = 1 + len;
   if (pp == NULL) {
     return ret;
commit	eeb3333f44cf0a8b0a1018dcfca54c72d8c4a3a3	[log] [tgz]
author	David Benjamin <davidben@google.com>	Sun Nov 06 16:18:47 2022 +0000
committer	Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>	Mon Nov 07 12:28:40 2022 +0000
tree	5e90541e22c1d59a0580edf4546fd81551686025
parent	38f621a3667afca1262ce3b9390ef5a23042ff19 [diff]