mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 12:20:52 +02:00
wolfcrypt: validate API input sizes
This commit is contained in:
+8
-1
@@ -24880,7 +24880,14 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
||||
int wc_PemToDer(const unsigned char* buff, long longSz, int type,
|
||||
DerBuffer** pDer, void* heap, EncryptedInfo* info, int* keyFormat)
|
||||
{
|
||||
int ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
|
||||
int ret;
|
||||
|
||||
if (buff == NULL || longSz <= 0) {
|
||||
WOLFSSL_MSG("Bad pem der args");
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
|
||||
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
|
||||
if (ret == 0 && type == PRIVATEKEY_TYPE) {
|
||||
DerBuffer* der = *pDer;
|
||||
|
||||
@@ -221,6 +221,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
|
||||
if (out == NULL || in == NULL) {
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
/* Cap input so the initial doubling and additive growth in the loop
|
||||
* cannot overflow word32 or the int return type. */
|
||||
if (inSz > (word32)(INT_MAX / 2)) {
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
i = (maxSz == 1)? 1 : 2; /* start with output buffer twice the size of input
|
||||
* unless max was set to 1 */
|
||||
|
||||
@@ -229,7 +234,7 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
|
||||
/* Check for source > 64K on 16-bit machine: */
|
||||
if ((uLong)stream.avail_in != inSz) return DECOMPRESS_INIT_E;
|
||||
|
||||
tmpSz = inSz * i;
|
||||
tmpSz = inSz * (word32)i;
|
||||
tmp = (byte*)XMALLOC(tmpSz, heap, memoryType);
|
||||
if (tmp == NULL)
|
||||
return MEMORY_E;
|
||||
@@ -278,6 +283,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
|
||||
}
|
||||
i++;
|
||||
|
||||
if (tmpSz > (word32)INT_MAX - inSz) {
|
||||
WOLFSSL_MSG("Decompress buffer would exceed INT_MAX");
|
||||
result = DECOMPRESS_E;
|
||||
break;
|
||||
}
|
||||
newSz = tmpSz + inSz;
|
||||
newTmp = (byte*)XMALLOC(newSz, heap, memoryType);
|
||||
if (newTmp == NULL) {
|
||||
@@ -295,13 +305,18 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
|
||||
} while (result == Z_OK);
|
||||
|
||||
if (result == Z_STREAM_END) {
|
||||
result = (int)stream.total_out;
|
||||
*out = (byte*)XMALLOC(result, heap, memoryType);
|
||||
if (*out != NULL) {
|
||||
XMEMCPY(*out, tmp, result);
|
||||
if (stream.total_out > (uLong)INT_MAX) {
|
||||
result = DECOMPRESS_E;
|
||||
}
|
||||
else {
|
||||
result = MEMORY_E;
|
||||
result = (int)stream.total_out;
|
||||
*out = (byte*)XMALLOC(result, heap, memoryType);
|
||||
if (*out != NULL) {
|
||||
XMEMCPY(*out, tmp, result);
|
||||
}
|
||||
else {
|
||||
result = MEMORY_E;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
||||
Reference in New Issue
Block a user