From dfc6f643c09aba831d4856597ef9633dda2fb6c4 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 21 Oct 2025 13:42:00 +0200 Subject: [PATCH] Fix heap-buffer-overflow in CI fuzzing tests The ASN1_STRING is not supposed to be used as a zero-terminated string. Therefore we need to check the string length explicitly and use memcmp instead of strcmp in ossl_x509_check_cert_time. Fixes a regression introduced by #28623 Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/28962) --- crypto/x509/x509_vfy.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index de3be330278..b62ad860e04 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2174,8 +2174,8 @@ int ossl_x509_check_certificate_times(const X509_VERIFY_PARAM *vpm, X509 *x, * 99991231235959Z. */ notafter = X509_get0_notAfter(x); - if (strcmp((const char *)ASN1_STRING_get0_data(notafter), "99991231235959Z") - == 0) + if (notafter->length == 15 + && memcmp(ASN1_STRING_get0_data(notafter), "99991231235959Z", 15) == 0) return 1; if (!ossl_x509_compare_asn1_time(vpm, notafter, &comparison)) { @@ -2225,8 +2225,8 @@ int ossl_x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) * 99991231235959Z. */ notafter = X509_get0_notAfter(x); - if (strcmp((const char *)ASN1_STRING_get0_data(notafter), "99991231235959Z") - == 0) + if (notafter->length == 15 + && memcmp(ASN1_STRING_get0_data(notafter), "99991231235959Z", 15) == 0) return 1; i = ossl_x509_compare_asn1_time(vpm, notafter, &comparison); -- 2.47.3