There is an input sanity check in asn1_lib.c that is #if'd out for some reason. In its absence, a corrupt certificate read by d2i_X509() can at least crash the process. Additionally, the sanity checks both there and in a_bytes.c do not take into account a possibility of negative length and of pointer wrap-around, with similar results.
Code to demonstrate the bug (just run it for a few hours) and a diff are attached. Was the #if'ing out of the test intentional, and am I risking anything by enabling it? Right now I am patching openssl-engine-0.9.6c privately, but of course I'd be much happier to know I'd be able to just use plain vanilla 0.9.6d. Thanks for the excellent library, and thanks in advance for your reply, -- Adi Stav - developer Topaz Prism R&D Mercury Interactive +972-3-5399481 [EMAIL PROTECTED]
test_d2i_X509.c
Description: Binary data
openssl.diff
Description: Binary data