isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone
Blob Blame History Raw
diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-overflow openssl-1.0.1e/crypto/evp/encode.c
--- openssl-1.0.1e/crypto/evp/encode.c.b64-overflow	2016-04-07 15:45:20.000000000 +0200
+++ openssl-1.0.1e/crypto/evp/encode.c	2016-04-29 12:46:34.232656522 +0200
@@ -132,12 +132,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
 	     const unsigned char *in, int inl)
 	{
 	int i,j;
-	unsigned int total=0;
+	size_t total=0;
 
 	*outl=0;
 	if (inl == 0) return;
 	OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
-	if ((ctx->num+inl) < ctx->length)
+	if (ctx->length - ctx->num > inl)
 		{
 		memcpy(&(ctx->enc_data[ctx->num]),in,inl);
 		ctx->num+=inl;
@@ -156,7 +156,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
 		*out='\0';
 		total=j+1;
 		}
-	while (inl >= ctx->length)
+	while (inl >= ctx->length && total <= INT_MAX)
 		{
 		j=EVP_EncodeBlock(out,in,ctx->length);
 		in+=ctx->length;
@@ -166,6 +166,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
 		*out='\0';
 		total+=j+1;
 		}
+	if (total > INT_MAX)
+		{
+		/* Too much output data! */
+		*outl = 0;
+		return;
+		}
 	if (inl != 0)
 		memcpy(&(ctx->enc_data[0]),in,inl);
 	ctx->num=inl;