Fix CVE-2022-3602 in punycode decoder.

An off by one error in the punycode decoder allowed for a single unsigned int
overwrite of a buffer which could cause a crash and possible code execution.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit fe3b639dc19b325846f4f6801f2f4604f56e3de3)

diff --git a/crypto/punycode.c b/crypto/punycode.c
index f6d7ff7960e25b67e1377187ecf061fca19f4fa1..f0796163e3e94d9dfc63b3638a6ec9203a779fcd 100644 (file)
--- a/crypto/punycode.c
+++ b/crypto/punycode.c
@@ -181,7 +181,7 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
         n = n + i / (written_out + 1);
         i %= (written_out + 1);
 
-        if (written_out > max_out)
+        if (written_out >= max_out)
             return 0;
 
         memmove(pDecoded + i + 1, pDecoded + i,