params_dup: fix off by one error that allows array overreach.

The end of loop test allows the index to go one step too far to be able to
terminate the param array but the end of list record is still added.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14922)

diff --git a/crypto/params_dup.c b/crypto/params_dup.c
index e1b14059794c1e47ee7260276be94b6d6ef9c059..6a58b52f65cbc669d48ff8d414d7bc306fd416f4 100644 (file)
--- a/crypto/params_dup.c
+++ b/crypto/params_dup.c
@@ -147,8 +147,8 @@ static int compare_params(const void *left, const void *right)
 
 OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2)
 {
-    const OSSL_PARAM *list1[OSSL_PARAM_MERGE_LIST_MAX];
-    const OSSL_PARAM *list2[OSSL_PARAM_MERGE_LIST_MAX];
+    const OSSL_PARAM *list1[OSSL_PARAM_MERGE_LIST_MAX + 1];
+    const OSSL_PARAM *list2[OSSL_PARAM_MERGE_LIST_MAX + 1];
     const OSSL_PARAM *p = NULL;
     const OSSL_PARAM **p1cur, **p2cur;
     OSSL_PARAM *params, *dst;