From 5d44130278a693e332bdc09936c79e1e7cbce2c7 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 18 Jul 2024 10:48:58 +0200
Subject: [PATCH] i2d_name_canon(): Check overflow in len accumulation

Fixes Coverity 1604638

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24930)

(cherry picked from commit b2deefb9d262f0f9eae6964006df98c2fa24daac)
(cherry picked from commit dd744cd19b3ff2bdc320c8a77b5c32ff543eaeb3)
(cherry picked from commit a3bfc4fd5b5641b05d6611073146627cf9114436)
---
 crypto/x509/x_name.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c
index 944eb9992486d..5d3a4f9200407 100644
--- a/crypto/x509/x_name.c
+++ b/crypto/x509/x_name.c
@@ -476,8 +476,8 @@ static int i2d_name_canon(const STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname,
         v = sk_ASN1_VALUE_value(intname, i);
         ltmp = ASN1_item_ex_i2d(&v, in,
                                 ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1);
-        if (ltmp < 0)
-            return ltmp;
+        if (ltmp < 0 || len > INT_MAX - ltmp)
+            return -1;
         len += ltmp;
     }
     return len;