Free up ADB and CHOICE if already initialised.

CVE-2015-0287

(Imported from upstream's b485d976340d3ca080060c3c7dee9102e2200762.)

Change-Id: Ie8dac46ccc95a4eee9ef535d8620217202f13ca1
Reviewed-on: https://boringssl-review.googlesource.com/4046
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 26 insertions, 2 deletions

diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 4cece894..854f1833 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -304,8 +304,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
 				goto auxerr;
 
-		/* Allocate structure */
-		if (!*pval && !ASN1_item_ex_new(pval, it))
+		if (*pval)
+			{
+			/* Free up and zero CHOICE value if initialised */
+			i = asn1_get_choice_selector(pval, it);
+			if ((i >= 0) && (i < it->tcount))
+				{
+				tt = it->templates + i;
+				pchptr = asn1_get_field_ptr(pval, tt);
+				ASN1_template_free(pchptr, tt);
+				asn1_set_choice_selector(pval, -1, it);
+				}
+			}
+		else if (!ASN1_item_ex_new(pval, it))
 			{
 			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
@@ -394,6 +405,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
 				goto auxerr;
 
+		/* Free up and zero any ADB found */
+		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
+			{
+			if (tt->flags & ASN1_TFLG_ADB_MASK)
+				{
+				const ASN1_TEMPLATE *seqtt;
+				ASN1_VALUE **pseqval;
+				seqtt = asn1_do_adb(pval, tt, 1);
+				pseqval = asn1_get_field_ptr(pval, seqtt);
+				ASN1_template_free(pseqval, seqtt);
+				}
+			}
+
 		/* Get each field entry */
 		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
 			{