Add more negative checks for integers passed to OPENSSL_malloc().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14830)

diff --git a/apps/lib/app_x509.c b/apps/lib/app_x509.c
index 00581aabbd6ce1ee25004b8ba54a116e382d4ee4..3d9e4fd69700d799e4f6d00978789c921ab05332 100644 (file)
--- a/apps/lib/app_x509.c
+++ b/apps/lib/app_x509.c
@@ -26,7 +26,7 @@ static ASN1_OCTET_STRING *mk_octet_string(void *value, size_t value_n)
 
     if (v == NULL) {
         BIO_printf(bio_err, "error: allocation failed\n");
-    } else if (!ASN1_OCTET_STRING_set(v, value, value_n)) {
+    } else if (!ASN1_OCTET_STRING_set(v, value, (int)value_n)) {
         ASN1_OCTET_STRING_free(v);
         v = NULL;
     }

diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c
index bdefa448ec54a559965fa7797f11e82c7d50dbfb..263c8a0c5e06a6ad5fb13184a6dbc9a70d3e7780 100644 (file)
--- a/crypto/asn1/a_dup.c
+++ b/crypto/asn1/a_dup.c
@@ -24,6 +24,9 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x)
         return NULL;
 
     i = i2d(x, NULL);
+    if (i <= 0)
+        return NULL;
+
     b = OPENSSL_malloc(i + 10);
     if (b == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);

diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 0fc469804d4aa4ecbffd96fc16e15e4adc8368f7..19e41ec73e3571dee06bd8e4447bd0f0ca1f7a6d 100644 (file)
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
     ASN1_INTEGER *ret = NULL;
     const unsigned char *p;
     unsigned char *s;
-    long len;
+    long len = 0;
     int inf, tag, xclass;
     int i;
 
@@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
         goto err;
     }
 
+    if (len < 0) {
+        i = ASN1_R_ILLEGAL_NEGATIVE_VALUE;
+        goto err;
+    }
     /*
      * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
      * a missing NULL parameter.

diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 208a383af26441cf67acb8e44dd5ccaa544e1703..22dea873eeba566e398829f5d7602ef4ba9f2724 100644 (file)
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -55,6 +55,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
         len = strlen((const char *)in);
     if (!mask)
         mask = DIRSTRING_TYPE;
+    if (len < 0)
+        return -1;
 
     /* First do a string check and work out the number of characters */
     switch (inform) {

diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c
index dc99e2d7c2751d21174826ce6810e825391426bf..19af059a2cff49b95ecc88d2729ae93b1ce659d8 100644 (file)
--- a/crypto/asn1/bio_asn1.c
+++ b/crypto/asn1/bio_asn1.c
@@ -118,7 +118,7 @@ static int asn1_bio_new(BIO *b)
 
 static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size)
 {
-    if ((ctx->buf = OPENSSL_malloc(size)) == NULL) {
+    if (size <= 0 || (ctx->buf = OPENSSL_malloc(size)) == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;
     }

diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c
index b6388cd12fd95bc09498af3b46906ecb11c3c394..fb4304482262b062661e781b579d49c6e5bb751a 100644 (file)
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -44,6 +44,8 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
     }
     if (!saltlen)
         saltlen = PKCS5_SALT_LEN;
+    if (saltlen < 0)
+        goto err;
 
     sstr = OPENSSL_malloc(saltlen);
     if (sstr == NULL) {

diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 738e3a0d10d21dd19d5ef3bc827a87c18f4c23b1..1049f0190505cd042bef4ad63c5d49c2e8eadb21 100644 (file)
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -160,6 +160,8 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
     kdf->salt->value.octet_string = osalt;
     kdf->salt->type = V_ASN1_OCTET_STRING;
 
+    if (saltlen < 0)
+        goto merr;
     if (saltlen == 0)
         saltlen = PKCS5_SALT_LEN;
     if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL)

diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c
index 12a6b15999ae29ffe636c34001a4cc1dd4196bd3..28a4b23aa48bb59d13cd09edbabd6e514e601828 100644 (file)
--- a/crypto/asn1/tasn_utl.c
+++ b/crypto/asn1/tasn_utl.c
@@ -168,6 +168,8 @@ int ossl_asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
         return 1;
 
     OPENSSL_free(enc->enc);
+    if (inlen <= 0)
+        return 0;
     if ((enc->enc = OPENSSL_malloc(inlen)) == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;

diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c
index 46eff55447fa96b23806dc6aa08c002372f80963..157bc3af4546df523054237508feb060ed6b88de 100644 (file)
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@@ -289,7 +289,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
         break;
     case BIO_C_SET_BUFF_READ_DATA:
         if (num > ctx->ibuf_size) {
-            p1 = OPENSSL_malloc((int)num);
+            if (num <= 0)
+                return 0;
+            p1 = OPENSSL_malloc((size_t)num);
             if (p1 == NULL)
                 goto malloc_error;
             OPENSSL_free(ctx->ibuf);
@@ -318,12 +320,14 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
         p1 = ctx->ibuf;
         p2 = ctx->obuf;
         if ((ibs > DEFAULT_BUFFER_SIZE) && (ibs != ctx->ibuf_size)) {
-            p1 = OPENSSL_malloc((int)num);
+            if (num <= 0)
+                return 0;
+            p1 = OPENSSL_malloc((size_t)num);
             if (p1 == NULL)
                 goto malloc_error;
         }
         if ((obs > DEFAULT_BUFFER_SIZE) && (obs != ctx->obuf_size)) {
-            p2 = OPENSSL_malloc((int)num);
+            p2 = OPENSSL_malloc((size_t)num);
             if (p2 == NULL) {
                 if (p1 != ctx->ibuf)
                     OPENSSL_free(p1);

diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
index b1f8d68658318c397cbcae350ba0beca9f2e101a..14e2e6613dd974340a7229a0864a9a30d1714ee4 100644 (file)
--- a/crypto/bio/bf_lbuf.c
+++ b/crypto/bio/bf_lbuf.c
@@ -235,7 +235,9 @@ static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr)
         obs = (int)num;
         p = ctx->obuf;
         if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size)) {
-            p = OPENSSL_malloc((int)num);
+            if (num <= 0)
+                return 0;
+            p = OPENSSL_malloc((size_t)num);
             if (p == NULL)
                 goto malloc_error;
         }

diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c
index 1669948f27cac6171ebb1c2536beddee9fbfb6d5..23ba8aeb73f2e80e8a59882bbaaa55a45bb11b6e 100644 (file)
--- a/crypto/bio/bss_log.c
+++ b/crypto/bio/bss_log.c
@@ -196,6 +196,8 @@ static int slg_write(BIO *b, const char *in, int inl)
         /* The default */
     };
 
+    if (inl < 0)
+        return 0;
     if ((buf = OPENSSL_malloc(inl + 1)) == NULL) {
         ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
         return 0;

diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index 96cb6d053f0e71c34e565ac1d2b37626de4d9bbb..ebfe5b93c7f053dbe6817f6711b08d9176808b69 100644 (file)
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -223,6 +223,8 @@ int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
     int len;
 
     len = i2d_ESS_SIGNING_CERT(sc, NULL);
+    if (len <= 0)
+        goto err;
     if ((pp = OPENSSL_malloc(len)) == NULL) {
         ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -251,6 +253,8 @@ int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc)
     unsigned char *p, *pp = NULL;
     int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
 
+    if (len <= 0)
+        goto err;
     if ((pp = OPENSSL_malloc(len)) == NULL) {
         ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
         goto err;

diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index acf90051c4c4619c2946f65a16bd217a90c10510..70b3ec702b1e6caa01c40754f786a57cd03fb575 100644 (file)
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -234,6 +234,8 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
     }
     if (!saltlen)
         saltlen = PKCS12_SALT_LEN;
+    if (saltlen < 0)
+        return 0;
     if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) {
         ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
         return 0;

diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
index af5b628c0fd050c25a1c9d037e35fb3ba94da77e..c3afb6aca1cebfb3ae577b07b9f7a1c21bc31040 100644 (file)
--- a/crypto/pkcs12/p12_utl.c
+++ b/crypto/pkcs12/p12_utl.c
@@ -21,6 +21,8 @@ unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
 
     if (asclen == -1)
         asclen = strlen(asc);
+    if (asclen < 0)
+        return NULL;
     ulen = asclen * 2 + 2;
     if ((unitmp = OPENSSL_malloc(ulen)) == NULL) {
         ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
@@ -44,9 +46,12 @@ char *OPENSSL_uni2asc(const unsigned char *uni, int unilen)
 {
     int asclen, i;
     char *asctmp;
+
     /* string must contain an even number of bytes */
     if (unilen & 1)
         return NULL;
+    if (unilen < 0)
+        return NULL;
     asclen = unilen / 2;
     /* If no terminating zero allow for one */
     if (!unilen || uni[unilen - 1])

diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 5ae952ad1f329b1e76b378ed8b022076502c9d1a..0c6d5f72fec3cfac816544a82721990499cac45b 100644 (file)
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -236,6 +236,8 @@ int X509_ocspid_print(BIO *bp, X509 *x)
         goto err;
     subj = X509_get_subject_name(x);
     derlen = i2d_X509_NAME(subj, NULL);
+    if (derlen <= 0)
+        goto err;
     if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL)
         goto err;
     i2d_X509_NAME(subj, &dertmp);

diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c
index 7ec4727c4d588f70fd850b356f8efb3520f35f80..f8a7dfe8408ab78e63d22a35ef2d5ac6be78f9fe 100644 (file)
--- a/crypto/x509/v3_conf.c
+++ b/crypto/x509/v3_conf.c
@@ -154,6 +154,8 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
         unsigned char *p;
 
         ext_len = method->i2d(ext_struc, NULL);
+        if (ext_len <= 0)
+            goto merr;
         if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
             goto merr;
         p = ext_der;

diff --git a/crypto/x509/v3_ia5.c b/crypto/x509/v3_ia5.c
index c1204eb8fad3ffd817f634be8d9934bb469080e8..6722b6c01f05e840a145a8c154c0b3c947d14961 100644 (file)
--- a/crypto/x509/v3_ia5.c
+++ b/crypto/x509/v3_ia5.c
@@ -29,7 +29,7 @@ char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
 {
     char *tmp;
 
-    if (ia5 == NULL || ia5->length == 0)
+    if (ia5 == NULL || ia5->length <= 0)
         return NULL;
     if ((tmp = OPENSSL_malloc(ia5->length + 1)) == NULL) {
         ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);

diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c
index 2e6e7e9f9b88b08e9f3fc481ae48c98db6a37622..1d371c47614f5354942040a5620d683b7a67be59 100644 (file)
--- a/crypto/x509/x509spki.c
+++ b/crypto/x509/x509spki.c
@@ -58,7 +58,10 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
     unsigned char *der_spki, *p;
     char *b64_str;
     int der_len;
+
     der_len = i2d_NETSCAPE_SPKI(spki, NULL);
+    if (der_len <= 0)
+        return NULL;
     der_spki = OPENSSL_malloc(der_len);
     b64_str = OPENSSL_malloc(der_len * 2);
     if (der_spki == NULL || b64_str == NULL) {