mirror of
https://github.com/funkemunky/KDE-x86_64-v4-Fedora.git
synced 2026-05-31 09:01:56 +00:00
50 lines
1.7 KiB
Diff
50 lines
1.7 KiB
Diff
From 945b935ac66cc7f1a41f1b849c7c25adb5351f49 Mon Sep 17 00:00:00 2001
|
|
From: Igor Ustinov <igus68@gmail.com>
|
|
Date: Thu, 5 Mar 2026 15:47:34 +0100
|
|
Subject: [PATCH] Avoid possible buffer overflow in buf2hex conversion
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Fixes CVE-2026-31789
|
|
|
|
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
|
|
MergeDate: Mon Apr 6 19:39:23 2026
|
|
(cherry picked from commit 3244aa4b9d6ea0220cc14fd97d951c67b5052837)
|
|
---
|
|
crypto/o_str.c | 13 ++++++++++++-
|
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/crypto/o_str.c b/crypto/o_str.c
|
|
index 35540630be25f..9b9e7751fdd9e 100644
|
|
--- a/crypto/o_str.c
|
|
+++ b/crypto/o_str.c
|
|
@@ -296,6 +296,11 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength,
|
|
int has_sep = (sep != CH_ZERO);
|
|
size_t i, len = has_sep ? buflen * 3 : 1 + buflen * 2;
|
|
|
|
+ if (buflen > (has_sep ? SIZE_MAX / 3 : (SIZE_MAX - 1) / 2)) {
|
|
+ ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if (len == 0)
|
|
++len;
|
|
if (strlength != NULL)
|
|
@@ -339,7 +344,13 @@ char *ossl_buf2hexstr_sep(const unsigned char *buf, long buflen, char sep)
|
|
if (buflen == 0)
|
|
return OPENSSL_zalloc(1);
|
|
|
|
- tmp_n = (sep != CH_ZERO) ? buflen * 3 : 1 + buflen * 2;
|
|
+ if ((sep != CH_ZERO && (size_t)buflen > SIZE_MAX / 3)
|
|
+ || (sep == CH_ZERO && (size_t)buflen > (SIZE_MAX - 1) / 2)) {
|
|
+ ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ tmp_n = (sep != CH_ZERO) ? (size_t)buflen * 3 : 1 + (size_t)buflen * 2;
|
|
if ((tmp = OPENSSL_malloc(tmp_n)) == NULL)
|
|
return NULL;
|
|
|