From cffbccf5eafbc351fc9a9f019810e1dfe04eeb17 Mon Sep 17 00:00:00 2001
From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Wed, 10 Sep 2025 10:08:21 +0200
Subject: [PATCH] crypto/bio/bio_print.c: avoid signed int overflow in
 desc->pos in doapr_outch
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

While highly improbable, a signed integer overflow can be triggered
by incrementing desc->pos LLONG_MAX + 1 times.

Fixes: 228ef5f54727 "crypto/bio/bio_print.c: make %n in line with other libc implementations"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28502)
---
 crypto/bio/bio_print.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/bio/bio_print.c b/crypto/bio/bio_print.c
index ddc5bc6deee..b5f4979bfaf 100644
--- a/crypto/bio/bio_print.c
+++ b/crypto/bio/bio_print.c
@@ -975,11 +975,13 @@ doapr_outch(struct pr_desc *desc, int c)
             (*(desc->buffer))[(desc->currlen)++] = (char)c;
     }
 
-    desc->pos++;
+    if (desc->pos < LLONG_MAX)
+        desc->pos++;
 
     return 1;
 }
 
+
 /***************************************************************************/
 
 int BIO_printf(BIO *bio, const char *format, ...)
-- 
2.47.3