Fix small correctness issues from pen-test

prasden · prasden · commit c3384f30024e · 2026-05-08T12:10:57.000-07:00
diff --git a/crypto/bio/bio.c b/crypto/bio/bio.c
@@ -305,6 +305,9 @@ int BIO_write(BIO *bio, const void *in, int inl) {
 }
 
 int BIO_write_ex(BIO *bio, const void *data, size_t data_len, size_t *written_bytes) {
+  if (written_bytes != NULL) {
+    *written_bytes = 0;
+  }
   if (bio == NULL) {
     OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER);
     return 0;
diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c
@@ -484,6 +484,11 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) {
     // we now have a line with trailing \r\n removed
 
     // i is the number of bytes
+    // Ensure addition doesn't overflow and corrupt the signed buffer position
+    if (i > INT_MAX - bufnum) {
+      OPENSSL_PUT_ERROR(CONF, ERR_R_OVERFLOW);
+      goto err;
+    }
     bufnum += i;
 
     v = NULL;
diff --git a/crypto/fipsmodule/bn/bytes.c b/crypto/fipsmodule/bn/bytes.c
@@ -91,6 +91,7 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
     return NULL;
   }
   ret->width = (int)num_words;
+  ret->neg = 0;
 
   bn_little_endian_to_words(ret->d, ret->width, in, len);
 
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
@@ -483,7 +483,8 @@ int PEM_write(FILE *fp, const char *name, const char *header,
 
 int PEM_write_bio(BIO *bp, const char *name, const char *header,
                   const unsigned char *data, long len) {
-  int nlen, n, i, j, outl;
+  int nlen, n, i, outl;
+  long j;
   unsigned char *buf = NULL;
   EVP_ENCODE_CTX ctx;
   int reason = ERR_R_BUF_LIB;
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
@@ -138,6 +138,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
           X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, &i, NULL);
       if (crl->idp != NULL) {
         if (!setup_idp(crl, crl->idp)) {
+          ISSUING_DIST_POINT_free(crl->idp);
+          crl->idp = NULL;
           return 0;
         }
       } else if (i != -1) {
@@ -147,6 +149,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
       crl->akid =
           X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, &i, NULL);
       if (crl->akid == NULL && i != -1) {
+        ISSUING_DIST_POINT_free(crl->idp);
+        crl->idp = NULL;
         return 0;
       }
 
@@ -169,6 +173,10 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
       }
 
       if (!crl_parse_entry_extensions(crl)) {
+        AUTHORITY_KEYID_free(crl->akid);
+        crl->akid = NULL;
+        ISSUING_DIST_POINT_free(crl->idp);
+        crl->idp = NULL;
         return 0;
       }
 

Original file line number	Diff line number	Diff line change
`@@ -305,6 +305,9 @@ int BIO_write(BIO bio, const void in, int inl) {`
`305`	`305`	`}`
`306`	`306`
`307`	`307`	`int BIO_write_ex(BIO bio, const void data, size_t data_len, size_t *written_bytes) {`
	`308`	`+ if (written_bytes != NULL) {`
	`309`	`+ *written_bytes = 0;`
	`310`	`+ }`
`308`	`311`	`if (bio == NULL) {`
`309`	`312`	`OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER);`
`310`	`313`	`return 0;`
Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ BIGNUM BN_le2bn(const uint8_t in, size_t len, BIGNUM *ret) {`
`91`	`91`	`return NULL;`
`92`	`92`	`}`
`93`	`93`	`ret->width = (int)num_words;`
	`94`	`+ ret->neg = 0;`
`94`	`95`
`95`	`96`	`bn_little_endian_to_words(ret->d, ret->width, in, len);`
`96`	`97`
Original file line number	Diff line number	Diff line change
`@@ -138,6 +138,8 @@ static int crl_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,`
`138`	`138`	`X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, &i, NULL);`
`139`	`139`	`if (crl->idp != NULL) {`
`140`	`140`	`if (!setup_idp(crl, crl->idp)) {`
	`141`	`+ ISSUING_DIST_POINT_free(crl->idp);`
	`142`	`+ crl->idp = NULL;`
`141`	`143`	`return 0;`
`142`	`144`	`}`
`143`	`145`	`} else if (i != -1) {`
`@@ -147,6 +149,8 @@ static int crl_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,`
`147`	`149`	`crl->akid =`
`148`	`150`	`X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, &i, NULL);`
`149`	`151`	`if (crl->akid == NULL && i != -1) {`
	`152`	`+ ISSUING_DIST_POINT_free(crl->idp);`
	`153`	`+ crl->idp = NULL;`
`150`	`154`	`return 0;`
`151`	`155`	`}`
`152`	`156`
`@@ -169,6 +173,10 @@ static int crl_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,`
`169`	`173`	`}`
`170`	`174`
`171`	`175`	`if (!crl_parse_entry_extensions(crl)) {`
	`176`	`+ AUTHORITY_KEYID_free(crl->akid);`
	`177`	`+ crl->akid = NULL;`
	`178`	`+ ISSUING_DIST_POINT_free(crl->idp);`
	`179`	`+ crl->idp = NULL;`
`172`	`180`	`return 0;`
`173`	`181`	`}`
`174`	`182`