diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-overflow openssl-1.0.1e/crypto/evp/encode.c
--- openssl-1.0.1e/crypto/evp/encode.c.b64-overflow 2016-04-07 15:45:20.000000000 +0200
+++ openssl-1.0.1e/crypto/evp/encode.c 2016-04-29 12:46:34.232656522 +0200
@@ -132,12 +132,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
const unsigned char *in, int inl)
{
int i,j;
- unsigned int total=0;
+ size_t total=0;
*outl=0;
if (inl == 0) return;
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
- if ((ctx->num+inl) < ctx->length)
+ if (ctx->length - ctx->num > inl)
{
memcpy(&(ctx->enc_data[ctx->num]),in,inl);
ctx->num+=inl;
@@ -156,7 +156,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
*out='\0';
total=j+1;
}
- while (inl >= ctx->length)
+ while (inl >= ctx->length && total <= INT_MAX)
{
j=EVP_EncodeBlock(out,in,ctx->length);
in+=ctx->length;
@@ -166,6 +166,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
*out='\0';
total+=j+1;
}
+ if (total > INT_MAX)
+ {
+ /* Too much output data! */
+ *outl = 0;
+ return;
+ }
if (inl != 0)
memcpy(&(ctx->enc_data[0]),in,inl);
ctx->num=inl;