Fix some bugs in the code that formats OIDs for printing.

Bugscape bug 53334.

1 files changed, 11 insertions, 2 deletions

diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
index 74bbb7d85..f1a450f47 100644
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -548,10 +548,15 @@ CERT_GetOidString(const SECItem *oid)
     PRUint8 *end;
     PRUint8 *d;
     PRUint8 *e;
-    char *a;
+    char *a         = NULL;
     char *b;
 
-    a = (char *)NULL;
+#define MAX_OID_LEN 1024 /* bytes */
+
+    if (oid->len > MAX_OID_LEN) {
+    	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return NULL;
+    }
 
     /* d will point to the next sequence of bytes to decode */
     d = (PRUint8 *)oid->data;
@@ -670,6 +675,8 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava)
     } else {
 	/* handle unknown attribute types per RFC 2253 */
 	tagName = unknownTag = CERT_GetOidString(&ava->type);
+	if (!tagName)
+	    return SECFailure;
     }
     maxLen = n2k->maxLen;
 
@@ -690,6 +697,7 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava)
     /* Check value length */
     if (avaValue->len > maxLen) {
 	if (unknownTag) PR_smprintf_free(unknownTag);
+	SECITEM_FreeItem(avaValue, PR_TRUE);
 	PORT_SetError(SEC_ERROR_INVALID_AVA);
 	return SECFailure;
     }
@@ -697,6 +705,7 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava)
     len = PORT_Strlen(tagName);
     if (len+1 > sizeof(tmpBuf)) {
 	if (unknownTag) PR_smprintf_free(unknownTag);
+	SECITEM_FreeItem(avaValue, PR_TRUE);
 	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 	return SECFailure;
     }