From 0f90c4de9f58070a423003ec6b34ef1a9a670ec9 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat, 13 May 2023 09:04:18 +0200
Subject: Fix stack corruption in ui_read

This is an alternative to #20893

Additionally this fixes also a possible issue in UI_UTIL_read_pw:

When UI_new returns NULL, the result code would still be zero
as if UI_UTIL_read_pw succeeded, but the password buffer is left
uninitialized, with subsequent possible stack corruption or worse.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20957)

(cherry picked from commit a64c48cff88e032cf9513578493c4536df725a22)
---
 crypto/ui/ui_lib.c  | 4 ++++
 crypto/ui/ui_util.c | 4 +---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c
index 49cc45057c..daf11c7a0d 100644
--- a/crypto/ui/ui_lib.c
+++ b/crypto/ui/ui_lib.c
@@ -529,6 +529,10 @@ int UI_process(UI *ui)
                 ok = 0;
                 break;
             }
+        } else {
+            ui->flags &= ~UI_FLAG_REDOABLE;
+            ok = -2;
+            goto err;
         }
     }
 
diff --git a/crypto/ui/ui_util.c b/crypto/ui/ui_util.c
index 32a3c4e38d..e582252da6 100644
--- a/crypto/ui/ui_util.c
+++ b/crypto/ui/ui_util.c
@@ -32,7 +32,7 @@ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt,
 int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
                     int verify)
 {
-    int ok = 0;
+    int ok = -2;
     UI *ui;
 
     if (size < 1)
@@ -47,8 +47,6 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
             ok = UI_process(ui);
         UI_free(ui);
     }
-    if (ok > 0)
-        ok = 0;
     return ok;
 }
 
-- 
cgit v1.2.1