From: jaekuk, lee Date: Mon, 12 Jun 2017 04:34:26 +0000 (+0900) Subject: Avoid overflow in EVP_EncodeUpdate X-Git-Tag: accepted/tizen/unified/20170612.170751^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=44da52a1827bf05a010b12f4bccfb370fe4e59c2;p=platform%2Fupstream%2Fnodejs.git Avoid overflow in EVP_EncodeUpdate https://nvd.nist.gov/vuln/detail/CVE-2016-2105 https://git.openssl.org/?p=openssl.git;a=commit;h=5b814481f3573fa9677f3a31ee51322e2a22ee6a An overflow can occur in the EVP_EncodeUpdate function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Due to the very large amounts of data involved this will most likely result in a crash. Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the PEM_write_bio* family of functions. These are mainly used within the OpenSSL command line applications, so any application which processes data from an untrusted source and outputs it as a PEM file should be considered vulnerable to this issue. User applications that call these APIs directly with large amounts of untrusted data may also be vulnerable. Issue reported by Guido Vranken. CVE-2016-2105 Change-Id: Ie90201c3ac5c6203583620c5843d2cd896a69955 Signed-off-by: jaekuk, lee --- diff --git a/deps/openssl/openssl/crypto/evp/encode.c b/deps/openssl/openssl/crypto/evp/encode.c old mode 100644 new mode 100755 index c6abc4a..a5d0c65 --- a/deps/openssl/openssl/crypto/evp/encode.c +++ b/deps/openssl/openssl/crypto/evp/encode.c @@ -157,7 +157,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); - if ((ctx->num + inl) < ctx->length) { + if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return;