source: trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch @ 2833

From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 10 Nov 2015 19:03:07 +0000
Subject: [PATCH] Fix leak with ASN.1 combine.

When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.

This can leak memory in any application parsing PKCS#7 or CMS structures.

CVE-2015-3195.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

PR#4131

Reviewed-by: Richard Levitte <levitte@openssl.org>

Edited-to-apply: Alexander Chernyakhovsky <achernya@mit.edu>
---
 crypto/asn1/tasn_dec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index febf605..9256049 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -169,6 +169,8 @@
        int otag;
        int ret = 0;
        ASN1_VALUE **pchptr, *ptmpval;
+       int combine = aclass & ASN1_TFLG_COMBINE;
+       aclass &= ~ASN1_TFLG_COMBINE;
        if (!pval)
                return 0;
        if (aux && aux->asn1_cb)
@@ -539,6 +541,7 @@
        auxerr:
        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
        err:
+       if (combine == 0)
        ASN1_item_ex_free(pval, it);
        if (errtt)
                ERR_add_error_data(4, "Field=", errtt->field_name,
@@ -767,7 +770,7 @@
                {
                /* Nothing special */
                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-                                                       -1, 0, opt, ctx);
+                                                       -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
                if (!ret)
                        {
                        ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,