Fix CVE-2022-3602 in punycode decoder.

paulidale · t8m · commit fe3b639dc19b · 2022-11-01T10:49:18.000+01:00
An off by one error in the punycode decoder allowed for a single unsigned int
overwrite of a buffer which could cause a crash and possible code execution.

Reviewed-by: Matt Caswell &lt;matt@openssl.org&gt;
Reviewed-by: Tomas Mraz &lt;tomas@openssl.org&gt;
diff --git a/crypto/punycode.c b/crypto/punycode.c
@@ -181,7 +181,7 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
         n = n + i / (written_out + 1);
         i %= (written_out + 1);
 
-        if (written_out > max_out)
+        if (written_out >= max_out)
             return 0;
 
         memmove(pDecoded + i + 1, pDecoded + i,
