Fix d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() so it correctly works out

the length of negative integers.
1999-06-24 01:50:27 +00:00 · 1999-06-24 01:50:27 +00:00 · 034292ad6a
parent 946cbf67af
commit 034292ad6a
2 changed files with 14 additions and 14 deletions
--- a/8
+++ b/8
@ -4,6 +4,14 @@

 Changes between 0.9.3a and 0.9.4

+  *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
+     up the length of negative integers. This has now been simplified to just
+     store the length when it is first determined and use it later, rather
+     than trying to keep track of where data is copied and updating it to
+     point to the end.
+     [Steve Henson, reported by Brien Wheeler
+      <bwheeler@authentica-security.com>]
+
  *) Add a new function PKCS7_signatureVerify. This allows the verification
     of a PKCS#7 signature but with the signing certificate passed to the
     function itself. This contrasts with PKCS7_dataVerify which assumes the
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@ -125,13 +125,8 @@ int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)

 	ASN1_put_object(&p,0,ret,V_ASN1_INTEGER,V_ASN1_UNIVERSAL);
 	if (pad) *(p++)=pb;
-	if (a->length == 0)
-		*(p++)=0;
-	else if (t == V_ASN1_INTEGER)
-		{
-		memcpy(p,a->data,(unsigned int)a->length);
-		p+=a->length;
-		}
+	if (a->length == 0) *(p++)=0;
+	else if (t == V_ASN1_INTEGER) memcpy(p,a->data,(unsigned int)a->length);
 	else {
 		/* Begin at the end of the encoding */
 		n=a->data + a->length - 1;
@ -148,10 +143,9 @@ int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 		i--;
 		/* Complement any octets left */
 		for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
-		p += a->length;
 	}

-	*pp=p;
+	*pp+=r;
 	return(r);
 	}

@ -159,7 +153,7 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 	     long length)
 	{
 	ASN1_INTEGER *ret=NULL;
-	unsigned char *p,*to,*s;
+	unsigned char *p,*to,*s, *pend;
 	long len;
 	int inf,tag,xclass;
 	int i;
@ -174,6 +168,7 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,

 	p= *pp;
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	pend = p + len;
 	if (inf & 0x80)
 		{
 		i=ASN1_R_BAD_OBJECT_HEADER;
@ -220,13 +215,11 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		if(!i) {
 			*s = 1;
 			s[len] = 0;
-			p += len;
 			len++;
 		} else {
 			*(to--) = (*(p--) ^ 0xff) + 1;
 			i--;
 			for(;i > 0; i--) *(to--) = *(p--) ^ 0xff;
-			p += len;
 		}
 	} else {
 		ret->type=V_ASN1_INTEGER;
@ -236,14 +229,13 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 			len--;
 			}
 		memcpy(s,p,(int)len);
-		p+=len;
 	}

 	if (ret->data != NULL) Free((char *)ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
-	*pp=p;
+	*pp=pend;
 	return(ret);
 err:
 	ASN1err(ASN1_F_D2I_ASN1_INTEGER,i);