From: Neil Horman <nhorman@openssl.org>
Date: Tue, 16 Jul 2024 15:38:33 +0000 (-0400)
Subject: Fix coverity-1604661
X-Git-Tag: openssl-3.4.0-alpha1~312
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50066236eb3b31c93aaa935ca38f5cc1ec056696;p=thirdparty%2Fopenssl.git

Fix coverity-1604661

Coverity called out an error in asn1parse_main, indicating that the
for(;;) loop which repeatedly reads from a bio and updates the length
value num, may overflow said value prior to exiting the loop.

We could probably call this a false positive, but on very large PEM
file, I suppose it could happen, so just add a check to ensure that num
doesn't go from a large positive to a large negative value inside the
loop

Fixes openssl/private#571

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24910)
---

diff --git a/apps/asn1parse.c b/apps/asn1parse.c
index bf62f859479..26b7cf2173a 100644
--- a/apps/asn1parse.c
+++ b/apps/asn1parse.c
@@ -216,6 +216,9 @@ int asn1parse_main(int argc, char **argv)
                 i = BIO_read(in, &(buf->data[num]), BUFSIZ);
                 if (i <= 0)
                     break;
+                /* make sure num doesn't overflow */
+                if (i > LONG_MAX - num)
+                    goto end;
                 num += i;
             }
         }