729d2d0e11
- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey() - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption - fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data - fix CVE-2015-0293 - triggerable assert in SSLv2 server
47 lines
1.5 KiB
Diff
47 lines
1.5 KiB
Diff
diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse openssl-1.0.1e/crypto/asn1/tasn_dec.c
|
|
--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-03-19 15:46:51.097022616 +0100
|
|
@@ -310,9 +310,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|
case ASN1_ITYPE_CHOICE:
|
|
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
|
|
goto auxerr;
|
|
-
|
|
- /* Allocate structure */
|
|
- if (!*pval && !ASN1_item_ex_new(pval, it))
|
|
+ if (*pval)
|
|
+ {
|
|
+ /* Free up and zero CHOICE value if initialised */
|
|
+ i = asn1_get_choice_selector(pval, it);
|
|
+ if ((i >= 0) && (i < it->tcount))
|
|
+ {
|
|
+ tt = it->templates + i;
|
|
+ pchptr = asn1_get_field_ptr(pval, tt);
|
|
+ ASN1_template_free(pchptr, tt);
|
|
+ asn1_set_choice_selector(pval, -1, it);
|
|
+ }
|
|
+ }
|
|
+ else if (!ASN1_item_ex_new(pval, it))
|
|
{
|
|
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
|
|
ERR_R_NESTED_ASN1_ERROR);
|
|
@@ -407,6 +417,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
|
|
goto auxerr;
|
|
|
|
+ /* Free up and zero any ADB found */
|
|
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
|
|
+ {
|
|
+ if (tt->flags & ASN1_TFLG_ADB_MASK)
|
|
+ {
|
|
+ const ASN1_TEMPLATE *seqtt;
|
|
+ ASN1_VALUE **pseqval;
|
|
+ seqtt = asn1_do_adb(pval, tt, 1);
|
|
+ pseqval = asn1_get_field_ptr(pval, seqtt);
|
|
+ ASN1_template_free(pseqval, seqtt);
|
|
+ }
|
|
+ }
|
|
+
|
|
/* Get each field entry */
|
|
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
|
|
{
|