Fix a heap buffer overflow with mismatched PEM structure ZD13097

2021-11-02 11:31:22 +01:00
parent 2745f394e5
commit 23487a4532
2 changed files with 16 additions and 2 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -43737,7 +43737,7 @@ err:
        }

        /* Read the header and footer */
-        while (wolfSSL_BIO_read(bio, &pem[i], 1) == 1) {
+        while (i < l && wolfSSL_BIO_read(bio, &pem[i], 1) == 1) {
            i++;
            if (!header) {
                header = XSTRNSTR(pem, "-----BEGIN ", (unsigned int)i);
@@ -43769,7 +43769,9 @@ err:
                if (footerEnd) {
                    footerEnd += XSTR_SIZEOF("-----");
                    /* Now check that footer matches header */
-                    if (XMEMCMP(header + XSTR_SIZEOF("-----BEGIN "),
+                    if ((headerEnd - (header + XSTR_SIZEOF("-----BEGIN "))) ==
+                        (footerEnd - (footer + XSTR_SIZEOF("-----END "))) &&
+                        XMEMCMP(header + XSTR_SIZEOF("-----BEGIN "),
                                footer + XSTR_SIZEOF("-----END "),
                        headerEnd - (header + XSTR_SIZEOF("-----BEGIN ")))
                            != 0) {
--- a/tests/api.c
+++ b/tests/api.c
@@ -29683,6 +29683,11 @@ static void test_wolfSSL_X509_INFO(void)
    X509_INFO *info;
    BIO *cert;
    int i;
+    byte data[] = {
+        "---------BEGIN CERTc-----\n"
+        "MIIDMTBuQ=\n"
+        "-----END -----"
+    };

    printf(testingFmt, "wolfSSL_X509_INFO");

@@ -29701,6 +29706,13 @@ static void test_wolfSSL_X509_INFO(void)
    sk_X509_INFO_free(info_stack);
    BIO_free(cert);

+    /* This case should fail due to invalid input. */
+    AssertNotNull(cert = BIO_new(BIO_s_mem()));
+    AssertIntEQ(BIO_write(cert, data, sizeof(data)), sizeof(data));
+    AssertNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL));
+    sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+    BIO_free(cert);
+
    printf(resultFmt, passed);
 #endif
 }