From: Pauli <pauli@openssl.org>
Date: Sun, 18 Apr 2021 23:50:52 +0000 (+1000)
Subject: params_dup: fix off by one error that allows array overreach.
X-Git-Tag: openssl-3.0.0-alpha15~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4ecb19d1092d6db1397aa24512996f98f8e5e268;p=thirdparty%2Fopenssl.git

params_dup: fix off by one error that allows array overreach.

The end of loop test allows the index to go one step too far to be able to
terminate the param array but the end of list record is still added.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14922)
---

diff --git a/crypto/params_dup.c b/crypto/params_dup.c
index e1b14059794..6a58b52f65c 100644
--- a/crypto/params_dup.c
+++ b/crypto/params_dup.c
@@ -147,8 +147,8 @@ static int compare_params(const void *left, const void *right)
 
 OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2)
 {
-    const OSSL_PARAM *list1[OSSL_PARAM_MERGE_LIST_MAX];
-    const OSSL_PARAM *list2[OSSL_PARAM_MERGE_LIST_MAX];
+    const OSSL_PARAM *list1[OSSL_PARAM_MERGE_LIST_MAX + 1];
+    const OSSL_PARAM *list2[OSSL_PARAM_MERGE_LIST_MAX + 1];
     const OSSL_PARAM *p = NULL;
     const OSSL_PARAM **p1cur, **p2cur;
     OSSL_PARAM *params, *dst;