From 4ff41f614cd90e947957cc63a3c7ca2372c1a45d Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Tue, 26 Jul 2016 08:28:44 -0400
Subject: Check for overflow in CBB_add_u24.

All other CBB_add_u<N> functions take a narrowed type, but not every
uint32_t may fit in a u24. Check for this rather than silently truncate.

Change-Id: I23879ad0f4d2934f257e39e795cf93c6e3e878bf
Reviewed-on: https://boringssl-review.googlesource.com/8940
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 crypto/bytestring/bytestring_test.cc | 18 ++++++++++++++++++
 crypto/bytestring/cbb.c              |  6 ++++++
 2 files changed, 24 insertions(+)

(limited to 'crypto')

diff --git a/crypto/bytestring/bytestring_test.cc b/crypto/bytestring/bytestring_test.cc
index 5441da77..9ab2c0c2 100644
--- a/crypto/bytestring/bytestring_test.cc
+++ b/crypto/bytestring/bytestring_test.cc
@@ -852,6 +852,24 @@ static bool TestStickyError() {
     return false;
   }
 
+  // Write a u32 that cannot fit in a u24.
+  cbb.Reset();
+  if (!CBB_init(cbb.get(), 0)) {
+    return false;
+  }
+
+  if (CBB_add_u24(cbb.get(), 1u << 24)) {
+    fprintf(stderr, "CBB_add_u24 unexpectedly succeeded.\n");
+    return false;
+  }
+
+  // All future operations should fail.
+  if (CBB_add_u8(cbb.get(), 0) ||
+      CBB_finish(cbb.get(), &ptr, &len)) {
+    fprintf(stderr, "Future operations unexpectedly succeeded.\n");
+    return false;
+  }
+
   return true;
 }
 
diff --git a/crypto/bytestring/cbb.c b/crypto/bytestring/cbb.c
index 9b38a6b1..ff2bc361 100644
--- a/crypto/bytestring/cbb.c
+++ b/crypto/bytestring/cbb.c
@@ -156,6 +156,12 @@ static int cbb_buffer_add_u(struct cbb_buffer_st *base, uint32_t v,
     buf[i] = v;
     v >>= 8;
   }
+
+  if (v != 0) {
+    base->error = 1;
+    return 0;
+  }
+
   return 1;
 }
 
-- 
cgit v1.2.3