Fix overflow in c2i_ASN1_BIT_STRING. c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check bounds before doing so. Previously, excessively large inputs to the function could write a single byte outside the target buffer. (This is unreachable as asn1_ex_c2i already uses int for the length.) Thanks to NCC for finding this issue. Change-Id: I7ae42214ca620d4159fa01c942153717a7647c65 Reviewed-on: https://boringssl-review.googlesource.com/19204 Reviewed-by: Martin Kreichgauer <martinkr@google.com> Commit-Queue: Martin Kreichgauer <martinkr@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

commit: 3c995f30e7312e6d95782cc787e566fb12f8aefb [log] [tgz]
author: Martin Kreichgauer <martinkr@google.com> Mon Aug 14 17:15:14 2017 -0700
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Sep 06 21:58:26 2017 +0000
tree: c071d387eb2d64105680aff777075cd177e7f587
parent: d0beda01f9d0abfaf35ab24089ed219e756add01 [diff]
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index ea9da24..106dab1 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c

@@ -56,6 +56,7 @@
 
 #include <openssl/asn1.h>
 
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/err.h>
@@ -139,6 +140,11 @@
         goto err;
     }
 
+    if (len > INT_MAX) {
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);
+      goto err;
+    }
+
     if ((a == NULL) || ((*a) == NULL)) {
         if ((ret = M_ASN1_BIT_STRING_new()) == NULL)
             return (NULL);
commit	3c995f30e7312e6d95782cc787e566fb12f8aefb	[log] [tgz]
author	Martin Kreichgauer <martinkr@google.com>	Mon Aug 14 17:15:14 2017 -0700
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Wed Sep 06 21:58:26 2017 +0000
tree	c071d387eb2d64105680aff777075cd177e7f587
parent	d0beda01f9d0abfaf35ab24089ed219e756add01 [diff]