On 16/09/16 08:05, Matthias Apitz wrote: > El d?a Thursday, September 15, 2016 a las 10:35:34PM -0700, sivagopiraju escribi?: > >> int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name); >> >> OBJ_obj2txt() converts the ASN1_OBJECT a into a textual representation. The >> representation is written as a null terminated string to buf at most buf_len >> bytes are written, truncating the result if necessary.* The total amount of >> space required is returned*. If no_name is 0 then if the object has a long >> or short name then that will be used, otherwise the numerical form will be >> used. If no_name is 1 then the numerical form will always be used. >> >> Above statement statement saying that *amount of space required is >> returned*. > > I saw this, but 'amount of space required' is IMHO vague, I'd expect > 'the length of the resulting string is returned' That is the heart of the problem. OBJ_obj2txt() does not return what you might expect. The author of TS_OBJ_print_bio() expected it to return the length of the resulting string (as you do). However OBJ_obj2txt() might truncate what it would otherwise produce if the supplied buffer isn't big enough - but it still returns the length of the untruncated string. The implementation of TS_OBJ_print_bio() used BIO_write() to print the string, using the untruncated string length. This is obviously wrong and could cause an out-of-bounds read. By swapping to BIO_printf() this is avoided because it only prints the string until it hits the NUL terminator which should always be within the bounds of the supplied buffer. Matt
