From b3f7ecac48fb3b31f3340a745a4a5cfe947ecd82 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 16 Jan 2017 17:05:01 +0100
Subject: asn1_get_length_ber: pass the correct length to
 _asn1_get_indefinite_length_string

This addresses reading 1-byte past the end of data.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/decoding.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/decoding.c b/lib/decoding.c
index 27a02b3..c2e6027 100644
--- a/lib/decoding.c
+++ b/lib/decoding.c
@@ -114,7 +114,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
       k = der[0] & 0x7F;
       punt = 1;
       if (k)
-	{			/* definite length method */
+	{ /* definite length method */
 	  ans = 0;
 	  while (punt <= k && punt < der_len)
 	    {
@@ -237,9 +237,9 @@ asn1_get_length_ber (const unsigned char *ber, int ber_len, int *len)
   long err;
 
   ret = asn1_get_length_der (ber, ber_len, len);
-  if (ret == -1)
+  if (ret == -1 && ber_len > 1)
     {				/* indefinite length method */
-      err = _asn1_get_indefinite_length_string (ber + 1, ber_len, &ret);
+      err = _asn1_get_indefinite_length_string (ber + 1, ber_len-1, &ret);
       if (err != ASN1_SUCCESS)
 	return -3;
     }
-- 
cgit v1.2.1