commit 515c728dbaa92211d2eafb0041ab9fcd258fdc41 Author: Bernd Edlinger Date: Mon Sep 9 19:12:25 2019 +0200 Fix potential memory leaks with BN_to_ASN1_INTEGER Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9833) (cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 1ce1181fc1..7cbf8de981 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, unsigned char *buffer = NULL; const EC_POINT *point = NULL; point_conversion_form_t form; + ASN1_INTEGER *orig; if (params == NULL) { if ((ret = ECPARAMETERS_new()) == NULL) { @@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB); goto err; } - ret->order = BN_to_ASN1_INTEGER(tmp, ret->order); + ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order); if (ret->order == NULL) { + ret->order = orig; ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB); goto err; } @@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, /* set the cofactor (optional) */ tmp = EC_GROUP_get0_cofactor(group); if (tmp != NULL) { - ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor); + ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor); if (ret->cofactor == NULL) { + ret->cofactor = orig; ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB); goto err; } diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c index 089f2ae29f..ef2d64826f 100644 --- a/crypto/x509v3/v3_asid.c +++ b/crypto/x509v3/v3_asid.c @@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor, static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) { ASN1_INTEGER *a_max_plus_one = NULL; + ASN1_INTEGER *orig; BIGNUM *bn = NULL; int i, ret = 0; @@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) */ if ((bn == NULL && (bn = BN_new()) == NULL) || ASN1_INTEGER_to_BN(a_max, bn) == NULL || - !BN_add_word(bn, 1) || - (a_max_plus_one = - BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { + !BN_add_word(bn, 1)) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, + ERR_R_MALLOC_FAILURE); + goto done; + } + + if ((a_max_plus_one = + BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { + a_max_plus_one = orig; X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, ERR_R_MALLOC_FAILURE); goto done; @@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid) static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) { ASN1_INTEGER *a_max_plus_one = NULL; + ASN1_INTEGER *orig; BIGNUM *bn = NULL; int i, ret = 0; @@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) */ if ((bn == NULL && (bn = BN_new()) == NULL) || ASN1_INTEGER_to_BN(a_max, bn) == NULL || - !BN_add_word(bn, 1) || - (a_max_plus_one = - BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { + !BN_add_word(bn, 1)) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, + ERR_R_MALLOC_FAILURE); + goto done; + } + + if ((a_max_plus_one = + BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { + a_max_plus_one = orig; X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE); goto done; commit 86ed78676c660b553696cc10c682962522dfeb6c Author: Tomas Mraz Date: Thu Sep 12 12:27:36 2019 +0200 BIO_f_zlib: Properly handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls. There can be data to write in output buffer and data to read that were not yet read in the input stream. Fixes #9866 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9877) (cherry picked from commit 6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95) diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c index d688deee5f..7c1be358fd 100644 --- a/crypto/comp/c_zlib.c +++ b/crypto/comp/c_zlib.c @@ -598,6 +598,28 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr) BIO_copy_next_retry(b); break; + case BIO_CTRL_WPENDING: + if (ctx->obuf == NULL) + return 0; + + if (ctx->odone) { + ret = ctx->ocount; + } else { + ret = ctx->ocount; + if (ret == 0) + /* Unknown amount pending but we are not finished */ + ret = 1; + } + if (ret == 0) + ret = BIO_ctrl(next, cmd, num, ptr); + break; + + case BIO_CTRL_PENDING: + ret = ctx->zin.avail_in; + if (ret == 0) + ret = BIO_ctrl(next, cmd, num, ptr); + break; + default: ret = BIO_ctrl(next, cmd, num, ptr); break;