Sophie

Sophie

distrib > Mageia > 5 > x86_64 > by-pkgid > 74733a8950ab92ecb790dc6a498778e8 > files > 2

libtasn1-4.2-4.1.mga5.src.rpm

From f435825c0f527a8e52e6ffbc3ad0bc60531d537e Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 4 Apr 2016 15:06:21 +0200
Subject: [PATCH] _asn1_extract_der_octet: catch invalid input cases early

That is, check the calculated lengths for validity prior
to entering a loop. This avoids an infinite recursion.
Reported by Pascal Cuoq.
---
 lib/decoding.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/decoding.c b/lib/decoding.c
index 4fa045c..6fd60d0 100644
--- a/lib/decoding.c
+++ b/lib/decoding.c
@@ -767,10 +767,17 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
   DECR_LEN(der_len, len3);
 
   if (len2 == -1)
-    counter_end = der_len - 2;
+    {
+      if (der_len < 2)
+        return ASN1_DER_ERROR;
+      counter_end = der_len - 2;
+    }
   else
     counter_end = der_len;
 
+  if (counter_end < counter)
+    return ASN1_DER_ERROR;
+
   while (counter < counter_end)
     {
       DECR_LEN(der_len, 1);
-- 
1.7.10.4 
From a6e0a0b58f5cdaf4e9beca5bce69c09808cbb625 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 6 Apr 2016 13:02:19 +0200
Subject: [PATCH] _asn1_extract_der_octet: properly account the bytes read
 through indefinite encodings

This prevents infinite recursions in the function loop.
Reported by Pascal Cuoq.
---
 lib/decoding.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/decoding.c b/lib/decoding.c
index 6fd60d0..4fff03e 100644
--- a/lib/decoding.c
+++ b/lib/decoding.c
@@ -753,7 +753,7 @@ _asn1_delete_not_used (asn1_node node)
 
 static int
 _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
-			 int der_len, unsigned flags)
+			 int der_len, unsigned flags, int *bytes)
 {
   int len2, len3;
   int counter, counter_end;
@@ -799,15 +799,19 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
 	  DECR_LEN(der_len, len3);
 	  result =
 	    _asn1_extract_der_octet (node, der + counter + len3,
-				     der_len, flags);
+				     der_len, flags, &len2);
 	  if (result != ASN1_SUCCESS)
 	    return result;
-	  len2 = 0;
+
+	  DECR_LEN(der_len, len2);
 	}
 
       counter += len2 + len3 + 1;
     }
 
+  if (bytes)
+    *bytes = counter;
+
   return ASN1_SUCCESS;
 
 cleanup:
@@ -889,7 +893,7 @@ get_octet_string (asn1_node node, const unsigned char *der, int der_len,
 	  asn1_length_der (tot_len, temp, &len2);
 	  _asn1_set_value (node, temp, len2);
 
-	  ret = _asn1_extract_der_octet (node, der, orig_der_len, flags);
+	  ret = _asn1_extract_der_octet (node, der, orig_der_len, flags, NULL);
 	  if (ret != ASN1_SUCCESS)
 	    {
 	      warn();
-- 
1.7.10.4

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional