EVP_CIPHER_CTX_get_algor_params() may attempt to access params array

at position -1 (prams[=1]). The issue has been reported by coverity check. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25303)
2024-08-28 14:37:07 +02:00 · 2024-08-28 14:37:07 +02:00 · bbe4571f57
commit bbe4571f57
parent c23ce35225
1 changed files with 3 additions and 1 deletions
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@ -1306,6 +1306,8 @@ int EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg)
        i = 0;
    if (OSSL_PARAM_modified(&params[1]) && params[1].return_size != 0)
        i = 1;
+    if (i < 0)
+        goto err;

    /*
     * If alg->parameter is non-NULL, it will be changed by d2i_ASN1_TYPE()
@ -1318,7 +1320,7 @@ int EVP_CIPHER_CTX_get_algor_params(EVP_CIPHER_CTX *ctx, X509_ALGOR *alg)

    derk = params[i].key;
    derl = params[i].return_size;
-    if (i >= 0 && (der = OPENSSL_malloc(derl)) != NULL) {
+    if ((der = OPENSSL_malloc(derl)) != NULL) {
        unsigned char *derp = der;

        params[i] = OSSL_PARAM_construct_octet_string(derk, der, derl);