From: slontis <shane.lontis@oracle.com>
Date: Wed, 29 Oct 2025 06:12:00 +0000 (+1100)
Subject: Fix potential malloc(-1) bugs.
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f81fbf25fc469a55e8dc43f88bac714c72fbb168;p=thirdparty%2Fopenssl.git

Fix potential malloc(-1) bugs.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29068)
---

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 82b80ecbf6d..d8333369722 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -989,6 +989,7 @@ PKCS12_R_ENCRYPT_ERROR:103:encrypt error
 PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE:120:error setting encrypted data type
 PKCS12_R_INVALID_NULL_ARGUMENT:104:invalid null argument
 PKCS12_R_INVALID_NULL_PKCS12_POINTER:105:invalid null pkcs12 pointer
+PKCS12_R_INVALID_SALT_LENGTH:117:invalid salt length
 PKCS12_R_INVALID_TYPE:112:invalid type
 PKCS12_R_IV_GEN_ERROR:106:iv gen error
 PKCS12_R_KEY_GEN_ERROR:107:key gen error
diff --git a/crypto/o_str.c b/crypto/o_str.c
index 3d426a5c891..152878c6df7 100644
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
@@ -334,6 +334,8 @@ char *ossl_buf2hexstr_sep(const unsigned char *buf, long buflen, char sep)
     char *tmp;
     size_t tmp_n;
 
+    if (buflen < 0)
+        return NULL;
     if (buflen == 0)
         return OPENSSL_zalloc(1);
 
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index b43c82f0ed2..d2d8ffc35bb 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -471,6 +471,10 @@ int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen,
     }
 
     if (salt == NULL) {
+        if (saltlen <= 0) {
+            ERR_raise(ERR_LIB_PKCS12, PKCS12_R_INVALID_SALT_LENGTH);
+            goto err;
+        }
         known_salt = OPENSSL_malloc(saltlen);
         if (known_salt == NULL)
             goto err;
diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c
index e9bcaf4b6e5..0e9507a4625 100644
--- a/crypto/pkcs12/pk12err.c
+++ b/crypto/pkcs12/pk12err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -17,36 +17,38 @@
 static const ERR_STRING_DATA PKCS12_str_reasons[] = {
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_CALLBACK_FAILED), "callback failed"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_CANT_PACK_STRUCTURE),
-    "can't pack structure"},
+     "can't pack structure"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_CONTENT_TYPE_NOT_DATA),
-    "content type not data"},
+     "content type not data"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_DECODE_ERROR), "decode error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_ENCODE_ERROR), "encode error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_ENCRYPT_ERROR), "encrypt error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE),
-    "error setting encrypted data type"},
+     "error setting encrypted data type"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_NULL_ARGUMENT),
-    "invalid null argument"},
+     "invalid null argument"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_NULL_PKCS12_POINTER),
-    "invalid null pkcs12 pointer"},
+     "invalid null pkcs12 pointer"},
+    {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_SALT_LENGTH),
+     "invalid salt length"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_INVALID_TYPE), "invalid type"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_IV_GEN_ERROR), "iv gen error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_KEY_GEN_ERROR), "key gen error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_ABSENT), "mac absent"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_GENERATION_ERROR),
-    "mac generation error"},
+     "mac generation error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_SETUP_ERROR), "mac setup error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_STRING_SET_ERROR),
-    "mac string set error"},
+     "mac string set error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_VERIFY_FAILURE),
-    "mac verify failure"},
+     "mac verify failure"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PARSE_ERROR), "parse error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PKCS12_CIPHERFINAL_ERROR),
-    "pkcs12 cipherfinal error"},
+     "pkcs12 cipherfinal error"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),
-    "unknown digest algorithm"},
+     "unknown digest algorithm"},
     {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_UNSUPPORTED_PKCS12_MODE),
-    "unsupported pkcs12 mode"},
+     "unsupported pkcs12 mode"},
     {0, NULL}
 };
 
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index db208a15a60..510bbd5da27 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -633,9 +633,13 @@ static int ossl_ess_add1_signing_cert(PKCS7_SIGNER_INFO *si,
                                       const ESS_SIGNING_CERT *sc)
 {
     ASN1_STRING *seq = NULL;
-    int len = i2d_ESS_SIGNING_CERT(sc, NULL);
-    unsigned char *p, *pp = OPENSSL_malloc(len);
+    int len;
+    unsigned char *p, *pp;
 
+    len = i2d_ESS_SIGNING_CERT(sc, NULL);
+    if (len <= 0)
+        return 0;
+    pp = OPENSSL_malloc(len);
     if (pp == NULL)
         return 0;
 
@@ -660,9 +664,13 @@ static int ossl_ess_add1_signing_cert_v2(PKCS7_SIGNER_INFO *si,
                                          const ESS_SIGNING_CERT_V2 *sc)
 {
     ASN1_STRING *seq = NULL;
-    int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
-    unsigned char *p, *pp = OPENSSL_malloc(len);
+    int len;
+    unsigned char *p, *pp;
 
+    len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
+    if (len <= 0)
+        return 0;
+    pp = OPENSSL_malloc(len);
     if (pp == NULL)
         return 0;
 
diff --git a/include/crypto/pkcs12err.h b/include/crypto/pkcs12err.h
index 114971c607c..c9f92889d68 100644
--- a/include/crypto/pkcs12err.h
+++ b/include/crypto/pkcs12err.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h
index abce3736289..dbf0763c6be 100644
--- a/include/openssl/pkcs12err.h
+++ b/include/openssl/pkcs12err.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -30,6 +30,7 @@
 # define PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE       120
 # define PKCS12_R_INVALID_NULL_ARGUMENT                   104
 # define PKCS12_R_INVALID_NULL_PKCS12_POINTER             105
+# define PKCS12_R_INVALID_SALT_LENGTH                     117
 # define PKCS12_R_INVALID_TYPE                            112
 # define PKCS12_R_IV_GEN_ERROR                            106
 # define PKCS12_R_KEY_GEN_ERROR                           107