commit 5a855f4303442b0476274a8ed0d1625c3e0658e1
Author: Igor Ustinov <igus68@gmail.com>
Date:   Sat Mar 7 08:16:47 2026 +0100

    Avoid possible buffer overflow in buf2hex conversion
    
    Fixes CVE-2026-31789

Index: openssl-3.1.4/crypto/o_str.c
===================================================================
--- openssl-3.1.4.orig/crypto/o_str.c
+++ openssl-3.1.4/crypto/o_str.c
@@ -229,6 +229,11 @@ static int buf2hexstr_sep(char *str, siz
     int has_sep = (sep != CH_ZERO);
     size_t len = has_sep ? buflen * 3 : 1 + buflen * 2;
 
+    if (buflen > (has_sep ? SIZE_MAX / 3 : (SIZE_MAX - 1) / 2)) {
+        ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES);
+        return 0;
+    }
+
     if (strlength != NULL)
         *strlength = len;
     if (str == NULL)
@@ -268,10 +273,18 @@ char *ossl_buf2hexstr_sep(const unsigned
     char *tmp;
     size_t tmp_n;
 
+    if (buflen < 0)
+        return NULL;
     if (buflen == 0)
         return OPENSSL_zalloc(1);
 
-    tmp_n = (sep != CH_ZERO) ? buflen * 3 : 1 + buflen * 2;
+    if ((sep != CH_ZERO && (size_t)buflen > SIZE_MAX / 3)
+        || (sep == CH_ZERO && (size_t)buflen > (SIZE_MAX - 1) / 2)) {
+        ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES);
+        return NULL;
+    }
+
+    tmp_n = (sep != CH_ZERO) ? (size_t)buflen * 3 : 1 + (size_t)buflen * 2;
     if ((tmp = OPENSSL_malloc(tmp_n)) == NULL) {
         ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
         return NULL;