commit 17a35b4ef3f6d38acd94c4ea2d4ccbdd311ba8a8
author android-build-team Robot <android-build-team-robot@google.com> Thu May 25 17:52:53 2017 +0000
committer android-build-team Robot <android-build-team-robot@google.com> Thu May 25 17:52:53 2017 +0000
tree f7665dd7b34aa5368957a3874d165272f2075ff3
parent 0ea06423d0487dc75de77137d66f42cdb31e9990
parent 72e9b9ed03689d2bab064f9f8bc81f17de4c61e1

Merge cherrypicks of [2315763, 2315554, 2315573, 2315765, 2315712, 2315595, 2315713, 2315746, 2315786, 2315799, 2315576, 2315800, 2315673, 2315821, 2315578, 2315597, 2315633, 2315598, 2315769, 2315716, 2315634, 2315823, 2315801, 2315636, 2315717, 2315772, 2315753, 2315803, 2315638, 2315840, 2315841, 2315842, 2315824, 2315791, 2315879, 2315804, 2315827, 2315863, 2315792, 2315864, 2315755, 2315882, 2315756, 2315828, 2315793, 2315865, 2315883, 2315899, 2315885, 2315796, 2315869, 2315923, 2315924, 2315943] into nyc-mr1-security-e-release

Change-Id: I2c41e79b49a0189c65c2a8c831d58f236e8641bb

src/crypto/asn1/a_d2i_fp.c

diff --git a/src/crypto/asn1/a_d2i_fp.c b/src/crypto/asn1/a_d2i_fp.c
index 97ec75b..af03bc0 100644
--- a/src/crypto/asn1/a_d2i_fp.c
+++ b/src/crypto/asn1/a_d2i_fp.c
@@ -140,6 +140,7 @@
 #endif
 
 #define HEADER_SIZE   8
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	{
 	BUF_MEM *b;
@@ -231,6 +232,7 @@
 			want=c.slen;
 			if (want > (len-off))
 				{
+                                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
 				want-=(len-off);
 				if (want > INT_MAX /* BIO_read takes an int length */ ||
 					len+want < len)
@@ -238,23 +240,37 @@
 						OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
 						goto err;
 						}
-				if (!BUF_MEM_grow_clean(b,len+want))
-					{
-					OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-					goto err;
-					}
 				while (want > 0)
 					{
-					i=BIO_read(in,&(b->data[len]),want);
-					if (i <= 0)
-						{
-						OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
-						goto err;
-						}
-					/* This can't overflow because
-					 * |len+want| didn't overflow. */
-					len+=i;
-					want-=i;
+
+                                        /*
+                                         * Read content in chunks of increasing size
+                                         * so we can return an error for EOF without
+                                         * having to allocate the entire content length
+                                         * in one go.
+                                         */
+                                        size_t chunk = want > chunk_max ? chunk_max : want;
+
+                                        if (!BUF_MEM_grow_clean(b, len + chunk)) {
+                                          OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
+                                          goto err;
+                                        }
+                                        want -= chunk;
+                                        while (chunk > 0) {
+                                          i = BIO_read(in, &(b->data[len]), chunk);
+                                          if (i <= 0) {
+                                            OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
+                                            goto err;
+                                          }
+                                          /*
+                                           * This can't overflow because |len+want| didn't
+                                           * overflow.
+                                           */
+                                          len += i;
+                                          chunk -= i;
+                                        }
+                                        if (chunk_max < INT_MAX/2)
+                                          chunk_max *= 2;
 					}
 				}
 			if (off + c.slen < off)