diff options
author | John M. Schanck <jschanck@mozilla.com> | 2022-08-18 09:12:01 +0000 |
---|---|---|
committer | John M. Schanck <jschanck@mozilla.com> | 2022-08-18 09:12:01 +0000 |
commit | fd5475e9529d7ad496ebefa0a0d66be0c696d9b7 (patch) | |
tree | 203f40a1bda6d66b3b3c5d9e6ab53facfc8cf6d1 | |
parent | 147fa414c3e9eba20eca01a9a97ca2bbb76ba2ff (diff) | |
download | nss-hg-fd5475e9529d7ad496ebefa0a0d66be0c696d9b7.tar.gz |
Bug 1330271 - check for null template in sec_asn1{d,e}_push_state. r=nss-reviewers,djackson
Some of our dynamic template choosers, e.g. sec_pkcs12_choose_attr_type, can
return NULL. This patch adds some defensive checks to avoid crashes when
they do.
Differential Revision: https://phabricator.services.mozilla.com/D150290
-rw-r--r-- | lib/util/secasn1d.c | 5 | ||||
-rw-r--r-- | lib/util/secasn1e.c | 6 |
2 files changed, 10 insertions, 1 deletions
diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c index d219ee0c2..47e1abd0a 100644 --- a/lib/util/secasn1d.c +++ b/lib/util/secasn1d.c @@ -365,6 +365,11 @@ sec_asn1d_push_state(SEC_ASN1DecoderContext *cx, state->our_mark = PORT_ArenaMark(cx->our_pool); } + if (theTemplate == NULL) { + PORT_SetError(SEC_ERROR_BAD_TEMPLATE); + goto loser; + } + new_state = (sec_asn1d_state *)sec_asn1d_zalloc(cx->our_pool, sizeof(*new_state)); if (new_state == NULL) { diff --git a/lib/util/secasn1e.c b/lib/util/secasn1e.c index fb3feef52..41d284897 100644 --- a/lib/util/secasn1e.c +++ b/lib/util/secasn1e.c @@ -94,8 +94,12 @@ sec_asn1e_push_state(SEC_ASN1EncoderContext *cx, { sec_asn1e_state *state, *new_state; - state = cx->current; + if (theTemplate == NULL) { + cx->status = encodeError; + return NULL; + } + state = cx->current; new_state = (sec_asn1e_state *)PORT_ArenaZAlloc(cx->our_pool, sizeof(*new_state)); if (new_state == NULL) { |