From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Tue, 21 Oct 2025 11:42:00 +0000 (+0200)
Subject: Fix heap-buffer-overflow in CI fuzzing tests
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~300
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfc6f643c09aba831d4856597ef9633dda2fb6c4;p=thirdparty%2Fopenssl.git

Fix heap-buffer-overflow in CI fuzzing tests

The ASN1_STRING is not supposed to be used as a
zero-terminated string.  Therefore we need to check
the string length explicitly and use memcmp instead of
strcmp in ossl_x509_check_cert_time.

Fixes a regression introduced by #28623

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28962)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index de3be330278..b62ad860e04 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2174,8 +2174,8 @@ int ossl_x509_check_certificate_times(const X509_VERIFY_PARAM *vpm, X509 *x,
      * 99991231235959Z.
      */
     notafter = X509_get0_notAfter(x);
-    if (strcmp((const char *)ASN1_STRING_get0_data(notafter), "99991231235959Z")
-        == 0)
+    if (notafter->length == 15
+        && memcmp(ASN1_STRING_get0_data(notafter), "99991231235959Z", 15) == 0)
         return 1;
 
     if (!ossl_x509_compare_asn1_time(vpm, notafter, &comparison)) {
@@ -2225,8 +2225,8 @@ int ossl_x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
      * 99991231235959Z.
      */
     notafter = X509_get0_notAfter(x);
-    if (strcmp((const char *)ASN1_STRING_get0_data(notafter), "99991231235959Z")
-        == 0)
+    if (notafter->length == 15
+        && memcmp(ASN1_STRING_get0_data(notafter), "99991231235959Z", 15) == 0)
         return 1;
 
     i = ossl_x509_compare_asn1_time(vpm, notafter, &comparison);