From 16e5f81473c91033bae64963b5a2f86b2b8adeb2 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Wed, 11 Sep 2013 11:37:33 +0200
Subject: [PATCH] Fixed potential negative value misinterpretation in
 load_file() (cherry picked from commit
 42c3ccf36e86972bff3a74c1e74c11311e6a7af0)

Conflicts:
	library/x509parse.c
---
 ChangeLog           |  1 +
 library/x509parse.c | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 88e5341e2..9e8eb0ba7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@ PolarSSL ChangeLog
 Security
    * Potential buffer-overflow for ssl_read_record() (independently found by
      both TrustInSoft and Paul Brodeur of Leviathan Security Group)
+   * Potential negative value misinterpretation in load_file()
 
 = Version 1.1.7 released on 2013-06-19
 Changes
diff --git a/library/x509parse.c b/library/x509parse.c
index 12ad67c1d..c6e252752 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -1727,16 +1727,27 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen )
 int load_file( const char *path, unsigned char **buf, size_t *n )
 {
     FILE *f;
+    long size;
 
     if( ( f = fopen( path, "rb" ) ) == NULL )
         return( POLARSSL_ERR_X509_FILE_IO_ERROR );
 
     fseek( f, 0, SEEK_END );
-    *n = (size_t) ftell( f );
+    if( ( size = ftell( f ) ) == -1 )
+    {
+        fclose( f );
+        return( POLARSSL_ERR_X509_FILE_IO_ERROR );
+    }
     fseek( f, 0, SEEK_SET );
 
-    if( ( *buf = (unsigned char *) malloc( *n + 1 ) ) == NULL )
+    *n = (size_t) size;
+
+    if( *n + 1 == 0 ||
+        ( *buf = (unsigned char *) malloc( *n + 1 ) ) == NULL )
+    {
+        fclose( f );
         return( POLARSSL_ERR_X509_MALLOC_FAILED );
+    }
 
     if( fread( *buf, 1, *n, f ) != *n )
     {