From: Andrey Tsygunka Date: Tue, 26 Nov 2024 07:53:31 +0000 (+0300) Subject: ossl_i2c_ASN1_BIT_STRING(): Fix a possible heap buffer overflow X-Git-Tag: openssl-3.1.8~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efbbb582e79f4f5614c1522d0fd291dffac3f4be;p=thirdparty%2Fopenssl.git ossl_i2c_ASN1_BIT_STRING(): Fix a possible heap buffer overflow When data contains only zero values a buffer overflow happens. CLA: trivial Signed-off-by: Andrey Tsygunka Reviewed-by: Tom Cosgrove Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26190) (cherry picked from commit bf2dea0e2c6f1cfe1a8222088052ebcc63ab1004) --- diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 4930d5022ee..549c0e88554 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -36,25 +36,30 @@ int ossl_i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) if (a->data[len - 1]) break; } - j = a->data[len - 1]; - if (j & 0x01) + + if (len == 0) { bits = 0; - else if (j & 0x02) - bits = 1; - else if (j & 0x04) - bits = 2; - else if (j & 0x08) - bits = 3; - else if (j & 0x10) - bits = 4; - else if (j & 0x20) - bits = 5; - else if (j & 0x40) - bits = 6; - else if (j & 0x80) - bits = 7; - else - bits = 0; /* should not happen */ + } else { + j = a->data[len - 1]; + if (j & 0x01) + bits = 0; + else if (j & 0x02) + bits = 1; + else if (j & 0x04) + bits = 2; + else if (j & 0x08) + bits = 3; + else if (j & 0x10) + bits = 4; + else if (j & 0x20) + bits = 5; + else if (j & 0x40) + bits = 6; + else if (j & 0x80) + bits = 7; + else + bits = 0; /* should not happen */ + } } } else bits = 0;