From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 18 Jul 2024 08:48:58 +0000 (+0200)
Subject: i2d_name_canon(): Check overflow in len accumulation
X-Git-Tag: openssl-3.1.7~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d44130278a693e332bdc09936c79e1e7cbce2c7;p=thirdparty%2Fopenssl.git

i2d_name_canon(): Check overflow in len accumulation

Fixes Coverity 1604638

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24930)

(cherry picked from commit b2deefb9d262f0f9eae6964006df98c2fa24daac)
(cherry picked from commit dd744cd19b3ff2bdc320c8a77b5c32ff543eaeb3)
(cherry picked from commit a3bfc4fd5b5641b05d6611073146627cf9114436)
---

diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c
index 944eb999248..5d3a4f92004 100644
--- a/crypto/x509/x_name.c
+++ b/crypto/x509/x_name.c
@@ -476,8 +476,8 @@ static int i2d_name_canon(const STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname,
         v = sk_ASN1_VALUE_value(intname, i);
         ltmp = ASN1_item_ex_i2d(&v, in,
                                 ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1);
-        if (ltmp < 0)
-            return ltmp;
+        if (ltmp < 0 || len > INT_MAX - ltmp)
+            return -1;
         len += ltmp;
     }
     return len;