From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Wed, 10 Sep 2025 08:08:21 +0000 (+0200)
Subject: crypto/bio/bio_print.c: avoid signed int overflow in desc->pos in doapr_outch
X-Git-Tag: openssl-3.6.0-beta1~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cffbccf5eafbc351fc9a9f019810e1dfe04eeb17;p=thirdparty%2Fopenssl.git

crypto/bio/bio_print.c: avoid signed int overflow in desc->pos in doapr_outch

While highly improbable, a signed integer overflow can be triggered
by incrementing desc->pos LLONG_MAX + 1 times.

Fixes: 228ef5f54727 "crypto/bio/bio_print.c: make %n in line with other libc implementations"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28502)
---

diff --git a/crypto/bio/bio_print.c b/crypto/bio/bio_print.c
index ddc5bc6deee..b5f4979bfaf 100644
--- a/crypto/bio/bio_print.c
+++ b/crypto/bio/bio_print.c
@@ -975,11 +975,13 @@ doapr_outch(struct pr_desc *desc, int c)
             (*(desc->buffer))[(desc->currlen)++] = (char)c;
     }
 
-    desc->pos++;
+    if (desc->pos < LLONG_MAX)
+        desc->pos++;
 
     return 1;
 }
 
+
 /***************************************************************************/
 
 int BIO_printf(BIO *bio, const char *format, ...)