Reject len < -1 in ASN1_mbstring_ncopy

samuel40791765 · samuel40791765 · commit 988afd0f2750 · 2026-05-08T12:54:47.000-07:00
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
@@ -33,6 +33,10 @@ OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_UTF8STRING)
 int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in,
                         ossl_ssize_t len, int inform, unsigned long mask,
                         ossl_ssize_t minsize, ossl_ssize_t maxsize) {
+  if (len < -1) {
+    OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_FORMAT);
+    return -1;
+  }
   if (len == -1) {
     len = strlen((const char *)in);
   }
diff --git a/crypto/asn1/asn1_test.cc b/crypto/asn1/asn1_test.cc
@@ -1711,6 +1711,17 @@ TEST(ASN1Test, MBString) {
     ERR_clear_error();
     EXPECT_EQ(nullptr, str);
   }
+
+  // |len| values below -1 must be rejected; only -1 is special-cased to mean
+  // "call strlen on |in|". Any other negative value would otherwise be cast
+  // to a huge |size_t| by |CBS_init|.
+  static const uint8_t kDummy[] = {'a'};
+  ASN1_STRING *str = nullptr;
+  EXPECT_EQ(-1, ASN1_mbstring_ncopy(&str, kDummy, -2, MBSTRING_UTF8,
+                                    B_ASN1_UTF8STRING, /*minsize=*/0,
+                                    /*maxsize=*/0));
+  EXPECT_EQ(nullptr, str);
+  ERR_clear_error();
 }
 
 TEST(ASN1Test, StringByNID) {
