summaryrefslogtreecommitdiff
path: root/crypto/evp/encode.c
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2016-03-04 10:17:17 +0000
committerMatt Caswell <matt@openssl.org>2016-05-03 11:56:23 +0100
commitee1e3cac2e83abc77bcc8ff98729ca1e10fcc920 (patch)
tree6cabe5517619baa6bd2e26dca23c18ac77fc6f09 /crypto/evp/encode.c
parentb7b8e948014d93e1eb6d954d0799ae68ab0e068b (diff)
downloadopenssl-new-ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920.tar.gz
Avoid overflow in EVP_EncodeUpdate
An overflow can occur in the EVP_EncodeUpdate function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Due to the very large amounts of data involved this will most likely result in a crash. Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the PEM_write_bio* family of functions. These are mainly used within the OpenSSL command line applications, so any application which processes data from an untrusted source and outputs it as a PEM file should be considered vulnerable to this issue. User applications that call these APIs directly with large amounts of untrusted data may also be vulnerable. Issue reported by Guido Vranken. CVE-2016-2105 Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/evp/encode.c')
-rw-r--r--crypto/evp/encode.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
index ed85f8933b..6f862fa2dd 100644
--- a/crypto/evp/encode.c
+++ b/crypto/evp/encode.c
@@ -171,7 +171,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
if (inl <= 0)
return;
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
- if ((ctx->num + inl) < ctx->length) {
+ if (ctx->length - ctx->num > inl) {
memcpy(&(ctx->enc_data[ctx->num]), in, inl);
ctx->num += inl;
return;