From cad4f3facc2ff5dce97b08b9ab8718783358b30c Mon Sep 17 00:00:00 2001 From: Jake Cooke Date: Tue, 18 May 2021 18:20:54 +0930 Subject: Add bounds checking to length returned by wcslen in wide_to_asc conversion to resolve integer overflow flaw Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15316) --- engines/e_capi.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/engines/e_capi.c b/engines/e_capi.c index dd66518d3f..2ea3cd2059 100644 --- a/engines/e_capi.c +++ b/engines/e_capi.c @@ -1120,10 +1120,19 @@ static char *wide_to_asc(LPCWSTR wstr) { char *str; int len_0, sz; + size_t len_1; if (!wstr) return NULL; - len_0 = (int)wcslen(wstr) + 1; /* WideCharToMultiByte expects int */ + + len_1 = wcslen(wstr) + 1; + + if (len_1 > INT_MAX) { + CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_FUNCTION_NOT_SUPPORTED); + return NULL; + } + + len_0 = (int)len_1; /* WideCharToMultiByte expects int */ sz = WideCharToMultiByte(CP_ACP, 0, wstr, len_0, NULL, 0, NULL, NULL); if (!sz) { CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR); -- cgit v1.2.3