Bug 1804660 - Make high tag number assertion failure an error. r=nss-reviewers,djackson

If a template has an OPTIONAL field, and we find that the input does not match
that field's tag number, we mark the field as missing. If the next field is an
ASN.1 ANY, we need to write the previously-parsed tag number out. Since high
tag number forms are rare, we never implemented the necessary re-encoding of
multi-byte tags, and we noted this with an assertion. That assertion is
remotely triggerable in debug builds. This patch removes the assertion and
returns a SEC_ERROR_LIBRARY_FAILURE instead.

Differential Revision: https://phabricator.services.mozilla.com/D170678

1 files changed, 7 insertions, 3 deletions

diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c
index bbb41a61c..01f1c6e5c 100644
--- a/lib/util/secasn1d.c
+++ b/lib/util/secasn1d.c
@@ -2207,9 +2207,13 @@ sec_asn1d_next_in_sequence(sec_asn1d_state *state)
                  * In practice this does not happen, but for completeness
                  * sake it should probably be made to work at some point.
                  */
-                PORT_Assert(child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER);
-                identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number);
-                sec_asn1d_record_any_header(child, (char *)&identifier, 1);
+                if (child_found_tag_modifiers >= SEC_ASN1_HIGH_TAG_NUMBER) {
+                    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+                    state->top->status = decodeError;
+                } else {
+                    identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number);
+                    sec_asn1d_record_any_header(child, (char *)&identifier, 1);
+                }
             }
         }
     }