Commit 00fba2aca4 for openssl.org

commit 00fba2aca43261cff42f01f183d654ab0dfc1fd1
Author: Tomas Mraz <tomas@openssl.foundation>
Date:   Tue May 5 17:01:42 2026 +0200

    The tag value must fit into int

    We cannot allow an unbounded tag value as this is an O(n^2) algorithm
    and the tag cannot be larger than INT_MAX anyway.
    Fixes 35852da1d9e24cb74034b2f418cef3a58203b127

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.foundation>
    Reviewed-by: Simo Sorce <simo@redhat.com>
    MergeDate: Thu May  7 12:12:25 2026
    (Merged from https://github.com/openssl/openssl/pull/31091)

diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c
index 629d517028..8f9e267689 100644
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@@ -169,8 +169,15 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)

         diff--;
         if ((*(q++) & V_ASN1_PRIMITIVE_TAG) == V_ASN1_PRIMITIVE_TAG) {
+            unsigned int i = 0;
             /* Multi-byte tag.  See if we have the whole thing yet */
             do {
+                if (i > 4) {
+                    /* The tag value must fit into int */
+                    ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
+                    goto err;
+                }
+                ++i;
                 diff--;
             } while (diff > 0 && *(q++) & 0x80);