crypto/bio/bio_print.c: avoid signed int overflow in desc->pos in doapr_outch

While highly improbable, a signed integer overflow can be triggered
by incrementing desc->pos LLONG_MAX + 1 times.

Fixes: 228ef5f54727 "crypto/bio/bio_print.c: make %n in line with other libc implementations"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28502)

diff --git a/crypto/bio/bio_print.c b/crypto/bio/bio_print.c
index ddc5bc6deee354b93c4891d719dcc8bcae1abf0b..b5f4979bfafb6703187a64eb5998430cb1147eba 100644 (file)
--- a/crypto/bio/bio_print.c
+++ b/crypto/bio/bio_print.c
@@ -975,11 +975,13 @@ doapr_outch(struct pr_desc *desc, int c)
             (*(desc->buffer))[(desc->currlen)++] = (char)c;
     }
 
-    desc->pos++;
+    if (desc->pos < LLONG_MAX)
+        desc->pos++;
 
     return 1;
 }
 
+
 /***************************************************************************/
 
 int BIO_printf(BIO *bio, const char *format, ...)