Blame SOURCES/openssl-1.0.1e-cve-2016-2105.patch
|
 |
5fee79 |
diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-overflow openssl-1.0.1e/crypto/evp/encode.c
|
|
|
5fee79 |
--- openssl-1.0.1e/crypto/evp/encode.c.b64-overflow 2016-04-07 15:45:20.000000000 +0200
|
|
|
5fee79 |
+++ openssl-1.0.1e/crypto/evp/encode.c 2016-04-29 12:46:34.232656522 +0200
|
|
|
5fee79 |
@@ -132,12 +132,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
|
|
|
5fee79 |
const unsigned char *in, int inl)
|
|
|
5fee79 |
{
|
|
|
5fee79 |
int i,j;
|
|
|
5fee79 |
- unsigned int total=0;
|
|
|
5fee79 |
+ size_t total=0;
|
|
|
5fee79 |
|
|
|
5fee79 |
*outl=0;
|
|
|
5fee79 |
if (inl == 0) return;
|
|
|
5fee79 |
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
|
|
|
5fee79 |
- if ((ctx->num+inl) < ctx->length)
|
|
|
5fee79 |
+ if (ctx->length - ctx->num > inl)
|
|
|
5fee79 |
{
|
|
|
5fee79 |
memcpy(&(ctx->enc_data[ctx->num]),in,inl);
|
|
|
5fee79 |
ctx->num+=inl;
|
|
|
5fee79 |
@@ -156,7 +156,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
|
|
|
5fee79 |
*out='\0';
|
|
|
5fee79 |
total=j+1;
|
|
|
5fee79 |
}
|
|
|
5fee79 |
- while (inl >= ctx->length)
|
|
|
5fee79 |
+ while (inl >= ctx->length && total <= INT_MAX)
|
|
|
5fee79 |
{
|
|
|
5fee79 |
j=EVP_EncodeBlock(out,in,ctx->length);
|
|
|
5fee79 |
in+=ctx->length;
|
|
|
5fee79 |
@@ -166,6 +166,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
|
|
|
5fee79 |
*out='\0';
|
|
|
5fee79 |
total+=j+1;
|
|
|
5fee79 |
}
|
|
|
5fee79 |
+ if (total > INT_MAX)
|
|
|
5fee79 |
+ {
|
|
|
5fee79 |
+ /* Too much output data! */
|
|
|
5fee79 |
+ *outl = 0;
|
|
|
5fee79 |
+ return;
|
|
|
5fee79 |
+ }
|
|
|
5fee79 |
if (inl != 0)
|
|
|
5fee79 |
memcpy(&(ctx->enc_data[0]),in,inl);
|
|
|
5fee79 |
ctx->num=inl;
|