Dev news

Commit 59cdf92d38 for openssl.org

commit 59cdf92d383b0035f030a3d7a1473f7581db05bc
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date:   Fri Feb 13 07:42:48 2026 +0100

    Alternate fix for CVE-2025-69419

    This affects the function OPENSSL_uni2utf8
    which caused heap buffer overflow when certain
    unicode characters are converted.
    The current fix is incomplete and does only prevent the
    crash by making OPENSSL_uni2utf8 return a NULL pointer.
    But with this change the OPENSSL_uni2utf8 will return the
    correct utf8 string instead of a NULL pointer.
    Additionally we add a simple test case that demonstrates
    the original CVE.

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Wed Feb 18 15:46:35 2026
    (Merged from https://github.com/openssl/openssl/pull/29997)

diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
index 8b5f2909e8..6e63d87346 100644
--- a/crypto/pkcs12/p12_utl.c
+++ b/crypto/pkcs12/p12_utl.c
@@ -175,7 +175,7 @@ static int bmp_to_utf8(char *str, const unsigned char *utf16, int len)
         utf32chr += 0x10000;
     }

-    return UTF8_putc((unsigned char *)str, len > 4 ? 4 : len, utf32chr);
+    return UTF8_putc((unsigned char *)str, 4, utf32chr);
 }

 char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c
index 56af2b369b..3d25524bec 100644
--- a/test/asn1_internal_test.c
+++ b/test/asn1_internal_test.c
@@ -20,6 +20,7 @@

 #include <openssl/asn1.h>
 #include <openssl/evp.h>
+#include <openssl/pkcs12.h>
 #include <openssl/objects.h>
 #include <openssl/posix_time.h>
 #include "testutil.h"
@@ -570,6 +571,22 @@ static int test_mbstring_ncopy(void)
     return 1;
 }

+static int test_ossl_uni2utf8(void)
+{
+    const unsigned char in[] = { 0x21, 0x92 }; /* unicode right arrow */
+    int inlen = 2;
+    char *out = NULL;
+    int ok = 0;
+
+    /* reproducer for CVE-2025-69419 */
+    out = OPENSSL_uni2utf8(in, inlen);
+    if (TEST_str_eq(out, "\xe2\x86\x92"))
+        ok = 1;
+
+    OPENSSL_free(out);
+    return ok;
+}
+
 int setup_tests(void)
 {
     ADD_TEST(test_tbl_standard);
@@ -582,5 +599,6 @@ int setup_tests(void)
     ADD_TEST(posix_time_test);
     ADD_TEST(test_asn1_time_tm_conversions);
     ADD_TEST(test_mbstring_ncopy);
+    ADD_TEST(test_ossl_uni2utf8);
     return 1;
 }