{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1752651940, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"692791f790fc262f6ffc728a30a5beab", "commit": {"type":"commit", "time": 1487700433, "time_ofs": 18446744073709551316, "oid_tree": { "oid": "3f53c183fdc8db0eea571813c5e207fdeeb3eecb", "alias": []}, "oid":{ "oid": "ecca16632a73bb80ee27cdec8a97f6def0a4714d", "alias": []}, "msg": "Prevent OOB in SRP base64 code.", "sig_commit": { "git_time": { "time": 1487700433, "offset": -300 }, "name": "Rich Salz", "email": "rsalz@openssl.org", "md5": "3ed6b9cf7bbe83902a044f6590346d26" }, "sig_author": { "git_time": { "time": 1487700433, "offset": -300 }, "name": "Rich Salz", "email": "rsalz@openssl.org", "md5": "3ed6b9cf7bbe83902a044f6590346d26" }}, "body": "Prevent OOB in SRP base64 code.\n\nChange size comparison from \u003e (GT) to \u003e\u003d (GTE) to ensure an additional\nbyte of output buffer, to prevent OOB reads/writes later in the function\nReject input strings larger than 2GB\nDetect invalid output buffer size and return early\n\nReviewed-by: Richard Levitte \u003clevitte@openssl.org\u003e\nReviewed-by: Rich Salz \u003crsalz@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/2672)\n" , "diff": "diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c\nindex 188fad2..29b7afc 100644\n--- a/crypto/srp/srp_vfy.c\n+++ b/crypto/srp/srp_vfy.c\n@@ -36,10 +36,13 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src)\n int i, j;\n int size;\n \n+ if (alen \u003d\u003d 0 || alen \u003e INT_MAX)\n+ return -1;\n+\n while (*src \u0026\u0026 (*src \u003d\u003d ' ' || *src \u003d\u003d '\u005ct' || *src \u003d\u003d '\u005cn'))\n ++src;\n size \u003d strlen(src);\n- if (alen \u003e INT_MAX || size \u003e (int)alen)\n+ if (size \u003c 0 || size \u003e\u003d (int)alen)\n return -1;\n \n i \u003d 0;\n@@ -77,7 +80,7 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src)\n if (--i \u003c 0)\n break;\n }\n- while (a[j] \u003d\u003d 0 \u0026\u0026 j \u003c\u003d size)\n+ while (j \u003c\u003d size \u0026\u0026 a[j] \u003d\u003d 0)\n ++j;\n i \u003d 0;\n while (j \u003c\u003d size)\n","s":{"c":1752651940,"u": 50968}} ],"g": 51887,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}