diff --git a/ChangeLog b/ChangeLog index 88e5341e2..9e8eb0ba7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ PolarSSL ChangeLog Security * Potential buffer-overflow for ssl_read_record() (independently found by both TrustInSoft and Paul Brodeur of Leviathan Security Group) + * Potential negative value misinterpretation in load_file() = Version 1.1.7 released on 2013-06-19 Changes diff --git a/library/x509parse.c b/library/x509parse.c index 12ad67c1d..c6e252752 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -1727,16 +1727,27 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) int load_file( const char *path, unsigned char **buf, size_t *n ) { FILE *f; + long size; if( ( f = fopen( path, "rb" ) ) == NULL ) return( POLARSSL_ERR_X509_FILE_IO_ERROR ); fseek( f, 0, SEEK_END ); - *n = (size_t) ftell( f ); + if( ( size = ftell( f ) ) == -1 ) + { + fclose( f ); + return( POLARSSL_ERR_X509_FILE_IO_ERROR ); + } fseek( f, 0, SEEK_SET ); - if( ( *buf = (unsigned char *) malloc( *n + 1 ) ) == NULL ) + *n = (size_t) size; + + if( *n + 1 == 0 || + ( *buf = (unsigned char *) malloc( *n + 1 ) ) == NULL ) + { + fclose( f ); return( POLARSSL_ERR_X509_MALLOC_FAILED ); + } if( fread( *buf, 1, *n, f ) != *n ) {