diff -up openssl-fips-0.9.8e/crypto/asn1/a_object.c.oid-handling openssl-fips-0.9.8e/crypto/asn1/a_object.c
--- openssl-fips-0.9.8e/crypto/asn1/a_object.c.oid-handling	2006-02-21 02:00:47.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/asn1/a_object.c	2014-08-08 11:41:54.998379046 +0200
@@ -284,12 +284,35 @@ err:
 		ASN1_OBJECT_free(ret);
 	return(NULL);
 }
+
 ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	     long len)
 	{
 	ASN1_OBJECT *ret=NULL;
 	const unsigned char *p;
-	int i;
+	int i, length;
+
+	/* Sanity check OID encoding.
+	 * Need at least one content octet.
+	 * MSB must be clear in the last octet.
+	 * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
+	 */
+	if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
+	    p[len - 1] & 0x80)
+		{
+		ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_DECODING_ERROR);
+		return NULL;
+		}
+	/* Now 0 < len <= INT_MAX, so the cast is safe. */
+	length = (int)len;
+	for (i = 0; i < length; i++, p++)
+		{
+		if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
+			{
+			ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_DECODING_ERROR);
+			return NULL;
+			}
+		}
 
 	/* only the ASN1_OBJECTs from the 'table' will have values
 	 * for ->sn or ->ln */
@@ -301,20 +324,20 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT
 	else	ret=(*a);
 
 	p= *pp;
-	if ((ret->data == NULL) || (ret->length < len))
+	if ((ret->data == NULL) || (ret->length < length))
 		{
 		if (ret->data != NULL) OPENSSL_free(ret->data);
-		ret->data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
+		ret->data=(unsigned char *)OPENSSL_malloc(length);
 		ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
 		if (ret->data == NULL)
 			{ i=ERR_R_MALLOC_FAILURE; goto err; }
 		}
-	memcpy(ret->data,p,(int)len);
-	ret->length=(int)len;
+	memcpy(ret->data,p,length);
+	ret->length=length;
 	ret->sn=NULL;
 	ret->ln=NULL;
 	/* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
-	p+=len;
+	p+=length;
 
 	if (a != NULL) (*a)=ret;
 	*pp=p;
diff -up openssl-fips-0.9.8e/crypto/objects/obj_dat.c.oid-handling openssl-fips-0.9.8e/crypto/objects/obj_dat.c
--- openssl-fips-0.9.8e/crypto/objects/obj_dat.c.oid-handling	2006-02-15 16:03:47.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/objects/obj_dat.c	2014-08-08 11:36:22.487886979 +0200
@@ -443,11 +443,12 @@ int OBJ_obj2txt(char *buf, int buf_len,
 	unsigned char *p;
 	char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
 
-	if ((a == NULL) || (a->data == NULL)) {
-		buf[0]='\0';
-		return(0);
-	}
+	/* Ensure that, at every state, |buf| is NUL-terminated. */
+	if (buf && buf_len > 0)
+		buf[0] = '\0';
 
+	if ((a == NULL) || (a->data == NULL))
+		return(0);
 
 	if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
 		{
@@ -523,9 +524,10 @@ int OBJ_obj2txt(char *buf, int buf_len,
 				i=(int)(l/40);
 				l-=(long)(i*40);
 				}
-			if (buf && (buf_len > 0))
+			if (buf && (buf_len > 1))
 				{
 				*buf++ = i + '0';
+				*buf = '\0';
 				buf_len--;
 				}
 			n++;
@@ -540,9 +542,10 @@ int OBJ_obj2txt(char *buf, int buf_len,
 			i = strlen(bndec);
 			if (buf)
 				{
-				if (buf_len > 0)
+				if (buf_len > 1)
 					{
 					*buf++ = '.';
+					*buf = '\0';
 					buf_len--;
 					}
 				BUF_strlcpy(buf,bndec,buf_len);
@@ -782,4 +785,3 @@ err:
 	OPENSSL_free(buf);
 	return(ok);
 	}
-