fix undefined behavior on 3.1
(https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71220)
OpenSSL 3.2 and later are not affected, because they use
a `safemath` to do integer arithmetics.
This change is specific to 3.1 and 3.0. It changes just
fixes ssl_session_calculate_timeout().
It avoids overflow by testing operands before executint
the operation. It is implemented as follows:
add(a, b) {
overflow = MAX_INT - a;
if (b > overflow)
result = b - overflow
else
result = a + b
}
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25239)
(cherry picked from commit
a85eb03a5ccaccd7b18f979d4dfb5cc76bb61cea)
projects / thirdparty / openssl.git / commit
