From eb27d75788e7d53a2a43aacc25f23c2856b4065d Mon Sep 17 00:00:00 2001 From: Beat Bolli Date: Sun, 14 Feb 2021 23:47:15 +0100 Subject: [PATCH] ASN1: check the Unicode code point range in ASN1_mbstring_copy() Signed-off-by: Beat Bolli Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14185) --- crypto/asn1/a_mbstr.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 2af2445410..208a383af2 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,6 +10,7 @@ #include #include "crypto/ctype.h" #include "internal/cryptlib.h" +#include "internal/unicode.h" #include static int traverse_string(const unsigned char *p, int len, int inform, @@ -242,6 +243,9 @@ static int traverse_string(const unsigned char *p, int len, int inform, static int in_utf8(unsigned long value, void *arg) { int *nchar; + + if (!is_unicode_valid(value)) + return -2; nchar = arg; (*nchar)++; return 1; @@ -251,9 +255,13 @@ static int in_utf8(unsigned long value, void *arg) static int out_utf8(unsigned long value, void *arg) { - int *outlen; + int *outlen, len; + + len = UTF8_putc(NULL, -1, value); + if (len <= 0) + return len; outlen = arg; - *outlen += UTF8_putc(NULL, -1, value); + *outlen += len; return 1; } @@ -278,6 +286,8 @@ static int type_str(unsigned long value, void *arg) types &= ~B_ASN1_T61STRING; if ((types & B_ASN1_BMPSTRING) && (value > 0xffff)) types &= ~B_ASN1_BMPSTRING; + if ((types & B_ASN1_UTF8STRING) && !is_unicode_valid(value)) + types &= ~B_ASN1_UTF8STRING; if (!types) return -1; *((unsigned long *)arg) = types;