From: Alexandr Nedvedicky <sashan@openssl.org>
Date: Wed, 28 Aug 2024 12:37:07 +0000 (+0200)
Subject: EVP_CIPHER_CTX_get_algor_params() may attempt to access params array
X-Git-Tag: openssl-3.4.0-alpha1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bbe4571f570ec28b4709746b6d4d624ca5394cc6;p=thirdparty%2Fopenssl.git

EVP_CIPHER_CTX_get_algor_params() may attempt to access params array
at position -1 (prams[=1]).

The issue has been reported by coverity check.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25303)
---

diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 1aebd718f03..4440582e4fa 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -1306,6 +1306,8 @@ int EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg)
         i = 0;
     if (OSSL_PARAM_modified(&params[1]) && params[1].return_size != 0)
         i = 1;
+    if (i < 0)
+        goto err;
 
     /*
      * If alg->parameter is non-NULL, it will be changed by d2i_ASN1_TYPE()
@@ -1318,7 +1320,7 @@ int EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg)
 
     derk = params[i].key;
     derl = params[i].return_size;
-    if (i >= 0 && (der = OPENSSL_malloc(derl)) != NULL) {
+    if ((der = OPENSSL_malloc(derl)) != NULL) {
         unsigned char *derp = der;
 
         params[i] = OSSL_PARAM_construct_octet_string(derk, der, derl);