patch from openssl for multiple issues:

missing padding check in aesni functions
overflow in evp encode functions
use of invalid negative asn.1 types
ok beck

1 files changed, 10 insertions, 4 deletions

diff --git a/lib/libcrypto/evp/encode.c b/lib/libcrypto/evp/encode.c
index 725667bfff2..0dd87eb1a90 100644
--- a/lib/libcrypto/evp/encode.c
+++ b/lib/libcrypto/evp/encode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: encode.c,v 1.20 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: encode.c,v 1.21 2016/05/03 12:38:53 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <sys/limits.h>
 #include <stdio.h>
 #include <string.h>
 
@@ -124,13 +125,13 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
     const unsigned char *in, int inl)
 {
 	int i, j;
-	unsigned int total = 0;
+	size_t total = 0;
 
 	*outl = 0;
 	if (inl == 0)
 		return;
 	OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
-	if ((ctx->num + inl) < ctx->length) {
+	if (ctx->length - ctx->num > inl) {
 		memcpy(&(ctx->enc_data[ctx->num]), in, inl);
 		ctx->num += inl;
 		return;
@@ -147,7 +148,7 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 		*out = '\0';
 		total = j + 1;
 	}
-	while (inl >= ctx->length) {
+	while (inl >= ctx->length && total <= INT_MAX) {
 		j = EVP_EncodeBlock(out, in, ctx->length);
 		in += ctx->length;
 		inl -= ctx->length;
@@ -156,6 +157,11 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 		*out = '\0';
 		total += j + 1;
 	}
+	if (total > INT_MAX) {
+		/* Too much output data! */
+		*outl = 0;
+		return;
+	}
 	if (inl != 0)
 		memcpy(&(ctx->enc_data[0]), in, inl);
 	ctx->num = inl;