From 7d6529a415457ccfc912d6b8ddbac327516ee5d5 Mon Sep 17 00:00:00 2001
From: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 22 May 2011 22:00:24 +0000
Subject: [PATCH] * ext/openssl/ossl_asn1.c: Forbid Constructives whose value
 is not an Array to prevent segfault. Added test.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31702 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog                 |  5 +++++
 ext/openssl/ossl_asn1.c   |  7 +++++--
 test/openssl/test_asn1.rb | 12 ++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1ab9d5b4d2..3b068978f0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Mon May 23 06:58:33 2011  Martin Bosslet  <Martin.Bosslet@googlemail.com>
+
+	* ext/openssl/ossl_asn1.c: Forbid Constructives whose value is not an
+	Array to prevent segfault. Added test.
+
 Mon May 23 06:33:17 2011  Martin Bosslet  <Martin.Bosslet@googlemail.com>
 
 	* ext/openssl/ossl_asn1.c: Forbid Constructive without infinite
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
index c6f18479d7..cd65195796 100644
--- a/ext/openssl/ossl_asn1.c
+++ b/ext/openssl/ossl_asn1.c
@@ -1225,19 +1225,22 @@ ossl_asn1cons_to_der(VALUE self)
     int found_prim = 0, seq_len;
     long length;
     unsigned char *p;
-    VALUE value, str, inf_length, ary, example;
+    VALUE value, str, inf_length;
 
     tn = NUM2INT(ossl_asn1_get_tag(self));
     tc = ossl_asn1_tag_class(self);
     inf_length = ossl_asn1_get_infinite_length(self);
     if (inf_length == Qtrue) {
+	VALUE ary, example;
 	constructed = 2;
 	if (CLASS_OF(self) == cASN1Sequence ||
 	    CLASS_OF(self) == cASN1Set) {
 	    tag = ossl_asn1_default_tag(self);
 	}
-	else { /*BIT_STRING OR OCTET_STRING*/
+	else { /* must be a constructive encoding of a primitive value */
 	    ary = ossl_asn1_get_value(self);
+	    if (!rb_obj_is_kind_of(ary, rb_cArray))
+		ossl_raise(eASN1Error, "Constructive value must be an Array");
 	    /* Recursively descend until a primitive value is found.
 	    The overall value of the entire constructed encoding
 	    is of the type of the first primitive encoding to be
diff --git a/test/openssl/test_asn1.rb b/test/openssl/test_asn1.rb
index 94083f86e4..0122e0fdcb 100644
--- a/test/openssl/test_asn1.rb
+++ b/test/openssl/test_asn1.rb
@@ -254,6 +254,18 @@ class  OpenSSL::TestASN1 < Test::Unit::TestCase
     end
   end
 
+  def test_cons_without_array_forbidden
+    assert_raise(OpenSSL::ASN1::ASN1Error) do
+      val = OpenSSL::ASN1::OctetString.new('a')
+      cons = OpenSSL::ASN1::Constructive.new(val,
+                                            OpenSSL::ASN1::OCTET_STRING,
+                                            nil,
+                                            :UNIVERSAL)
+      cons.infinite_length = true
+      cons.to_der
+    end
+  end
+
   def test_seq_infinite_length
     begin
       content = [ OpenSSL::ASN1::Null.new(nil),