From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Mon, 15 Sep 2025 03:14:09 +0000 (+0200)
Subject: apps/storeutl.c: avoid signed integer overflow in indent_printf()
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f7f2874c8a8e15a10486188bbe86fd2142f74a22;p=thirdparty%2Fopenssl.git

apps/storeutl.c: avoid signed integer overflow in indent_printf()

As two arbitrarily large printf return value can trigger function
overflow, rewrite the return value handling to avoid it.

Fixes: fb43ddceda79 "Add a recursive option to 'openssl storeutl'"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665428
References: https://github.com/openssl/project/issues/1432
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28546)
---

diff --git a/apps/storeutl.c b/apps/storeutl.c
index 62f0e613564..f8ebde44481 100644
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@@ -331,14 +331,22 @@ int storeutl_main(int argc, char *argv[])
 static int indent_printf(int indent, BIO *bio, const char *format, ...)
 {
     va_list args;
-    int ret;
+    int ret, vret;
+
+    ret = BIO_printf(bio, "%*s", indent, "");
+    if (ret < 0)
+        return ret;
 
     va_start(args, format);
+    vret = BIO_vprintf(bio, format, args);
+    va_end(args);
 
-    ret = BIO_printf(bio, "%*s", indent, "") + BIO_vprintf(bio, format, args);
+    if (vret < 0)
+        return vret;
+    if (vret > INT_MAX - ret)
+        return INT_MAX;
 
-    va_end(args);
-    return ret;
+    return ret + vret;
 }
 
 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,