Browse files

Fix OOB read in TS_OBJ_print_bio().

TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.


Thanks to Shi Lei for reporting this bug.

Reviewed-by: Matt Caswell <>
  • Loading branch information...
snhenson committed Jul 21, 2016
1 parent d0c4415 commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a
Showing with 2 additions and 3 deletions.
  1. +2 −3 crypto/ts/ts_lib.c
@@ -40,9 +40,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
char obj_txt[128];
int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
BIO_write(bio, obj_txt, len);
BIO_write(bio, "\n", 1);
OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
BIO_printf(bio, "%s\n", obj_txt);
return 1;

0 comments on commit 0ed26ac

Please sign in to comment.