diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-04 15:06:21 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-04 15:07:04 +0200 |
| commit | f435825c0f527a8e52e6ffbc3ad0bc60531d537e (patch) | |
| tree | bdf64e93fd9365b7b9feebe682326d167fb87b4c /lib | |
| parent | d3ca1b00bd920191f1e15a530a45c19bc3ebd0ef (diff) | |
| download | libtasn1-f435825c0f527a8e52e6ffbc3ad0bc60531d537e.tar.gz | |
_asn1_extract_der_octet: catch invalid input cases early
That is, check the calculated lengths for validity prior
to entering a loop. This avoids an infinite recursion.
Reported by Pascal Cuoq.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/decoding.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/decoding.c b/lib/decoding.c index 4fa045c..6fd60d0 100644 --- a/lib/decoding.c +++ b/lib/decoding.c @@ -767,10 +767,17 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der, DECR_LEN(der_len, len3); if (len2 == -1) - counter_end = der_len - 2; + { + if (der_len < 2) + return ASN1_DER_ERROR; + counter_end = der_len - 2; + } else counter_end = der_len; + if (counter_end < counter) + return ASN1_DER_ERROR; + while (counter < counter_end) { DECR_LEN(der_len, 1); |