Commit 25b37961f7 for openssl.org

commit 25b37961f7341de7ccb0f01e61fcdefc61a30e36
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date:   Mon Jun 15 20:10:07 2026 +0200

    Prevent integer overflow in ASN1_mbstring_ncopy

    This prevents a theoretically possible integer overflow
    in OPENSSL_malloc(outlen + 1) at the end of ASN1_mbstring_ncopy,
    when outlen is exactly INT_MAX.
    That affects conversions from MBSTRING_ASC to MBSTRING_UTF8
    and MBSTRING_UTF8 to MBSTRING_ASC,
    because a terminating zero has to be added to the result.
    And also conversions MBSTRING_BMP to MBSTRING_UTF8
    in cases when UTF8 characters 0x800..0xFFFF are encoded
    as 3-byte UTF8-characters and the resulting UTF8-string
    is exactly INT_MAX in size.

    Fixes: 97f6b621f7af ("Reject oversized inputs in ASN1_mbstring_ncopy()")

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Wed Jun 24 12:49:08 2026
    (Merged from https://github.com/openssl/openssl/pull/31527)

diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 236082ec39..9329472e9b 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -69,6 +69,9 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
     if (len < 0) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_PASSED_INVALID_ARGUMENT);
         return -1;
+    } else if (len >= INT_MAX) {
+        ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG);
+        return -1;
     }

     /* First do a string check and work out the number of characters */
@@ -305,7 +308,7 @@ static int out_utf8(uint32_t value, void *arg)
         return len;
     }
     outlen = arg;
-    if (*outlen > INT_MAX - len) {
+    if (*outlen >= INT_MAX - len) {
         ERR_raise(ERR_LIB_ASN1, ASN1_R_STRING_TOO_LONG);
         return -1;
     }