Jinwen He

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A signed integer overflow occurs when sizing the destination buffer for Unicode output in the `ASN1 mbstring ncopy()` function, which can lead to a heap buffer overflow. This happens in `ASN1 mbstring copy()` and `ASN1 mbstring ncopy()` because the destination size for Unicode output is computed as a signed integer. Specifically, the calculation overflows when the input reaches approximately 2^30 characters through a left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), or by summing per-character byte counts for UTF8STRING. In the worst-case scenario involving UNIVERSALSTRING at 2^30 characters, the size wraps to zero, resulting in a minimal allocation that is subsequently overwritten by several gigabytes of data. This may lead to a crash, undefined behavior, or attacker-controlled code execution. Triggering this issue requires an application to call `ASN1 mbstring copy()` or `ASN1 mbstring ncopy()` directly, or register a custom string type via `ASN1 STRING TABLE add()` with attacker-controlled input of half a gigabyte or more. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.