Fix ASN1_INTEGER handling.

Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER tag: V_ASN1_NEG_INTEGER is an internal only value which is never used for on the wire encoding. Thanks to David Benjamin <davidben@google.com> for reporting this bug. This was found using libFuzzer. RT#4364 (part)CVE-2016-2108. Reviewed-by: Emilia Käsper <emilia@openssl.org>
2025-01-18 13:44:20 +08:00 · 2016-04-15 02:37:09 +01:00 · 2016-04-15 02:37:09 +01:00 · d7ab691bc4
commit d7ab691bc4
parent d202a602e0
3 changed files with 0 additions and 6 deletions
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@ -122,9 +122,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
        result = 0;             /* They do not have content. */
        break;
    case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
    case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
    case V_ASN1_BIT_STRING:
    case V_ASN1_OCTET_STRING:
    case V_ASN1_SEQUENCE:
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@ -858,9 +858,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
        break;

    case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
    case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
        tint = (ASN1_INTEGER **)pval;
        if (!c2i_ASN1_INTEGER(tint, &cont, len))
            goto err;
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@ -600,9 +600,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
                                   cout ? &cout : NULL);

    case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
    case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
        /*
         * These are all have the same content format as ASN1_INTEGER
         */