From: Tomas Mraz <tomas@openssl.foundation>
Date: Tue, 5 May 2026 15:01:42 +0000 (+0200)
Subject: The tag value must fit into int
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00fba2aca43261cff42f01f183d654ab0dfc1fd1;p=thirdparty%2Fopenssl.git

The tag value must fit into int

We cannot allow an unbounded tag value as this is an O(n^2) algorithm
and the tag cannot be larger than INT_MAX anyway.
Fixes 35852da1d9e24cb74034b2f418cef3a58203b127

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Simo Sorce <simo@redhat.com>
MergeDate: Thu May  7 12:12:25 2026
(Merged from https://github.com/openssl/openssl/pull/31091)
---

diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c
index 629d5170280..8f9e2676897 100644
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@@ -169,8 +169,15 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 
         diff--;
         if ((*(q++) & V_ASN1_PRIMITIVE_TAG) == V_ASN1_PRIMITIVE_TAG) {
+            unsigned int i = 0;
             /* Multi-byte tag.  See if we have the whole thing yet */
             do {
+                if (i > 4) {
+                    /* The tag value must fit into int */
+                    ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
+                    goto err;
+                }
+                ++i;
                 diff--;
             } while (diff > 0 && *(q++) & 0x80);