From bf2dea0e2c6f1cfe1a8222088052ebcc63ab1004 Mon Sep 17 00:00:00 2001 From: Andrey Tsygunka Date: Tue, 26 Nov 2024 10:53:31 +0300 Subject: [PATCH] ossl_i2c_ASN1_BIT_STRING(): Fix a possible heap buffer overflow When data contains only zero values a buffer overflow happens. CLA: trivial Signed-off-by: Andrey Tsygunka Reviewed-by: Tom Cosgrove Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26190) --- crypto/asn1/a_bitstr.c | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index d394070632241..a87cb15b44d4b 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -36,25 +36,30 @@ int ossl_i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) if (a->data[len - 1]) break; } - j = a->data[len - 1]; - if (j & 0x01) + + if (len == 0) { bits = 0; - else if (j & 0x02) - bits = 1; - else if (j & 0x04) - bits = 2; - else if (j & 0x08) - bits = 3; - else if (j & 0x10) - bits = 4; - else if (j & 0x20) - bits = 5; - else if (j & 0x40) - bits = 6; - else if (j & 0x80) - bits = 7; - else - bits = 0; /* should not happen */ + } else { + j = a->data[len - 1]; + if (j & 0x01) + bits = 0; + else if (j & 0x02) + bits = 1; + else if (j & 0x04) + bits = 2; + else if (j & 0x08) + bits = 3; + else if (j & 0x10) + bits = 4; + else if (j & 0x20) + bits = 5; + else if (j & 0x40) + bits = 6; + else if (j & 0x80) + bits = 7; + else + bits = 0; /* should not happen */ + } } } else bits = 0;