Don't read it->funcs without checking it->itype.
it->funcs is only an ASN1_AUX for ASN1_ITYPE_SEQUENCE and
ASN1_ITYPE_CHOICE. Fortunately, the other possible types for it->funcs
are larger than ASN1_AUX and we don't touch the result when we
shouldn't, so this is merely a strict aliasing violation.
Change-Id: I29e94249e0b137fe8df0b16254366ae6705c8784
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49351
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c
index 346887b..eea219d 100644
--- a/crypto/asn1/tasn_new.c
+++ b/crypto/asn1/tasn_new.c
@@ -95,14 +95,8 @@
{
const ASN1_TEMPLATE *tt = NULL;
const ASN1_EXTERN_FUNCS *ef;
- const ASN1_AUX *aux = it->funcs;
- ASN1_aux_cb *asn1_cb;
ASN1_VALUE **pseqval;
int i;
- if (aux && aux->asn1_cb)
- asn1_cb = aux->asn1_cb;
- else
- asn1_cb = 0;
switch (it->itype) {
@@ -127,7 +121,9 @@
goto memerr;
break;
- case ASN1_ITYPE_CHOICE:
+ case ASN1_ITYPE_CHOICE: {
+ const ASN1_AUX *aux = it->funcs;
+ ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;
if (asn1_cb) {
i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL);
if (!i)
@@ -146,8 +142,11 @@
if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
goto auxerr2;
break;
+ }
- case ASN1_ITYPE_SEQUENCE:
+ case ASN1_ITYPE_SEQUENCE: {
+ const ASN1_AUX *aux = it->funcs;
+ ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;
if (asn1_cb) {
i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL);
if (!i)
@@ -173,6 +172,7 @@
goto auxerr2;
break;
}
+ }
return 1;
memerr2:
