From: Kenjiro Nakayama Subject: [PATCH] libressl: Fix integer overflow To: tech@openbsd.org Cc: Kenjiro Nakayama Date: Wed, 26 Feb 2025 18:02:02 +0900 If the values a->length or ca->type is large, they could overflow, which would cause undefined behavior. Signed-off-by: Kenjiro Nakayama --- src/lib/libcrypto/objects/obj_dat.c | 4 ++-- src/regress/lib/libcrypto/asn1/asn1object.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c index 53ae83784..7c8ddeef0 100644 --- a/src/lib/libcrypto/objects/obj_dat.c +++ b/src/lib/libcrypto/objects/obj_dat.c @@ -100,7 +100,7 @@ added_obj_hash(const ADDED_OBJ *ca) a = ca->obj; switch (ca->type) { case ADDED_DATA: - ret = a->length << 20L; + ret = (unsigned long)a->length << 20L; p = (unsigned char *)a->data; for (i = 0; i < a->length; i++) ret ^= p[i] << ((i * 3) % 24); @@ -118,7 +118,7 @@ added_obj_hash(const ADDED_OBJ *ca) return 0; } ret &= 0x3fffffffL; - ret |= ca->type << 30L; + ret |= (unsigned long)ca->type << 30L; return (ret); } static IMPLEMENT_LHASH_HASH_FN(added_obj, ADDED_OBJ) diff --git a/src/regress/lib/libcrypto/asn1/asn1object.c b/src/regress/lib/libcrypto/asn1/asn1object.c index 242881af0..085522939 100644 --- a/src/regress/lib/libcrypto/asn1/asn1object.c +++ b/src/regress/lib/libcrypto/asn1/asn1object.c @@ -531,7 +531,7 @@ asn1_object_i2d_errors(void) if ((ret = i2d_ASN1_OBJECT(aobj, NULL)) > 0) { fprintf(stderr, "FAIL: i2d_ASN1_OBJECT() succeeded on undefined " - "object\n"); + "object returned %d, want <= 0\n", ret); goto failed; } -- 2.39.5 (Apple Git-154)