Avoid freeing a caller-owned buffer in PKCS7_verify()
If a PKCS#7 S/MIME message comes with an empty set of digestAlgorithms
in the SignedData, PKCS7_verify() would incorrectly free a caller-owned
buffer. Fix the freeing logic to avoid this situation.
From Igor Ustinov via OpenSSL
Add some missing bounds checks to ASN1_mbstring_copy()
If the in string is unreasonably long, assigning strlen(in) to an int
may overflow, so exclude this situation.
Moreover, the code would unconditionally multiply nchar by 2 or 4,
which could again overflow an int. Check for this situation and error
out to avoid an out of bounds write.
More may be needed in here, which will be revisited later.
Based on a diff by Viktor Dukhovni via OpenSSL.
Avoid out-of-bounds read in CMS password-based decryption
The RFC 3211 PWRI integrity check when unwrapping the password-derived key
accesses seven bytes from a heap-allocated buffer. If an (invalid) block
cipher with short blocks is in use 2 * blocksize may not be sufficient room
for 7 bytes. In that silly case, the function performs an OOB read. Add
length check to avoid this situation
From Igor Ustinov via OpenSSL.
Avoid NULL dereference in password-based CMS decryption
The keyDerivationAlgorithm field is OPTIONAL in the ASN.1 but required
for password-based CMS. Check that the field is present before using it
to avoid a crash.
From Igor Ustinov via OpenSSL
Two fixes for RI codepoints. Firstly, do not combine more than two of
them - previously we were ending up with four codepoints in one cell
which tmux believed to be width 2, but terminals considered width 4.
Secondly, invalidate cursor position before redrawing the cell when the
second codepoint is received, terminals vary in how they manage
backspace and cursor movement across these characters, so it is better
to use absolute rather than relative positioning. GitHub issue 4853.
call rasops_show_screen() in inteldrm_activate() wakeup
From Walter Alejandro Iglesias who reports this stops garbage on screen
when resuming from hibernate without switching vt, on a unknown machine.
Avoids a similar problem on matthieu's Framework Alder Lake, and mvs'
Gemini Lake and Alder Lake machines.
Avoid signed overflow in fmt_scaled
Adding the scaled fractional part to whole may result in a signed overflow.
Guard against this by adding checks before subtracting or adding.
problem pointed out by a friend of claudio's
fix looks good to claudio, ok djm
ecdh: add error codes for point at infinity/not on curve
The point at infinity would previously raise EC_R_POINT_AT_INFINITY via
EC_POINT_get_affine_coordinates(). For consistency, also raise an error
for off-curve points.
pointed out by/ok kenjiro
switch nfs_getreq() to nfsd_adv()
from miod@ ok jsg@
This round of commits was prompted by a double-free report
from Andrew Griffiths at Calif.
server nfs request mbuf pointers were stored in two structs:
nmi_mrep in struct nfsm_info
nd_mrep in struct nfsrv_descript
but only set to NULL after m_freem() in nmi_mrep
This problem is avoided by removing the use of struct nfsm_info
in the server paths and passing struct nfsrv_descript to
new versions of the nfsm functions.
