EVP_CIPHER_CTX_get_algor_params() may attempt to access params array

at position -1 (prams[=1]).

The issue has been reported by coverity check.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25303)

diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 1aebd718f03678f34cc6b25c809c9a7a3fea27b3..4440582e4fa2c92f71d3876baeec5212119554b0 100644 (file)
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -1306,6 +1306,8 @@ int EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg)
         i = 0;
     if (OSSL_PARAM_modified(&params[1]) && params[1].return_size != 0)
         i = 1;
+    if (i < 0)
+        goto err;
 
     /*
      * If alg->parameter is non-NULL, it will be changed by d2i_ASN1_TYPE()
@@ -1318,7 +1320,7 @@ int EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg)
 
     derk = params[i].key;
     derl = params[i].return_size;
-    if (i >= 0 && (der = OPENSSL_malloc(derl)) != NULL) {
+    if ((der = OPENSSL_malloc(derl)) != NULL) {
         unsigned char *derp = der;
 
         params[i] = OSSL_PARAM_construct_octet_string(derk, der, derl);