From a91e537d16d74050dbde50bb0dfb1fe9930f0521 Mon Sep 17 00:00:00 2001
From: Igor Ustinov <igus68@gmail.com>
Date: Sat, 7 Mar 2026 08:16:47 +0100
Subject: [PATCH] Avoid possible buffer overflow in buf2hex conversion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes CVE-2026-31789
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:41:24 2026
crypto/o_str.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
@@ -236,4 +236,9 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength,
int has_sep = (sep != CH_ZERO);
size_t len = has_sep ? buflen * 3 : 1 + buflen * 2;
+ if (buflen > (has_sep ? SIZE_MAX / 3 : (SIZE_MAX - 1) / 2)) {
+ ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES);
+ return 0;
+ }
+
if (strlength != NULL)
@@ -277,10 +282,18 @@ char *ossl_buf2hexstr_sep(const unsigned char *buf, long buflen, char sep)
char *tmp;
size_t tmp_n;
+ if (buflen < 0)
+ return NULL;
if (buflen == 0)
return OPENSSL_zalloc(1);
- tmp_n = (sep != CH_ZERO) ? buflen * 3 : 1 + buflen * 2;
+ if ((sep != CH_ZERO && (size_t)buflen > SIZE_MAX / 3)
+ || (sep == CH_ZERO && (size_t)buflen > (SIZE_MAX - 1) / 2)) {
+ ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES);
+ return NULL;
+ }
+
+ tmp_n = (sep != CH_ZERO) ? (size_t)buflen * 3 : 1 + (size_t)buflen * 2;
if ((tmp = OPENSSL_malloc(tmp_n)) == NULL) {
ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
return NULL;
