fix the rest of the read_ledword() calls used as lengths to be bounded.

inspired by guido vranken https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/
ok doug@

2 files changed, 10 insertions, 2 deletions

diff --git a/lib/libcrypto/pem/pvkfmt.c b/lib/libcrypto/pem/pvkfmt.c
index c3fd0e8d0a4..7a9045396c5 100644
--- a/lib/libcrypto/pem/pvkfmt.c
+++ b/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.15 2016/03/02 05:02:35 beck Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.16 2016/03/02 14:28:14 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -179,6 +179,10 @@ do_blob_header(const unsigned char **in, unsigned int length,
 	p += 6;
 	*pmagic = read_ledword(&p);
 	*pbitlen = read_ledword(&p);
+	if (*pbitlen > 65536) {
+		PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_INCONSISTENT_HEADER);
+		return 0;
+	}
 	*pisdss = 0;
 	switch (*pmagic) {
 
diff --git a/lib/libssl/src/crypto/pem/pvkfmt.c b/lib/libssl/src/crypto/pem/pvkfmt.c
index c3fd0e8d0a4..7a9045396c5 100644
--- a/lib/libssl/src/crypto/pem/pvkfmt.c
+++ b/lib/libssl/src/crypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.15 2016/03/02 05:02:35 beck Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.16 2016/03/02 14:28:14 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -179,6 +179,10 @@ do_blob_header(const unsigned char **in, unsigned int length,
 	p += 6;
 	*pmagic = read_ledword(&p);
 	*pbitlen = read_ledword(&p);
+	if (*pbitlen > 65536) {
+		PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_INCONSISTENT_HEADER);
+		return 0;
+	}
 	*pisdss = 0;
 	switch (*pmagic) {