openssl/openssl

win32_joiner() in crypto/dso/dso_win32.c writes 1 byte past the allocation when the directory has no trailing separator and file is NULL

Open

#31260 opened on May 20, 2026

View on GitHub
 (2 comments) (0 reactions) (0 assignees)C (30,157 stars) (11,262 forks)batch import
branch: 3.0branch: 3.4branch: 3.5branch: 3.6branch: 4.0good first issuetriaged: bug

Description

In win32_joiner() (crypto/dso/dso_win32.c), the directory trailing-separator is budgeted into len only when file_split->file is non-NULL but is emitted unconditionally by the directory loop; when dir is set without a trailing separator and file == NULL, the final result[offset] = '\0' writes one byte past OPENSSL_malloc(len + 1).

Contributor guide

Tech stack
c
Domain
securitybackend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
C programmingknowledge of memory management
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
The issue is in crypto/dso/dso win32.c, function win32 joiner(). The bug occurs when directory has no trailing separator and file is NULL, causing a buffer overflow. To fix, ensure that the null terminator is only written within allocated bounds, or adjust allocation to account for the separator when dir lacks it. The fix should check if file split >file is NULL when adding the separator, and only allocate extra byte if needed.