diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index 8baac24..587cccc 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code)
asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
{
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
subbuf->base = subbuf->next = buf->next;
if (!indef) {
+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
subbuf->bound = subbuf->base + length - 1;
- if (subbuf->bound > buf->bound)
- return ASN1_OVERRUN;
} else /* constructed indefinite */
subbuf->bound = buf->bound;
return 0;
@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len,
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len,
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
e16d0c94ff2c9e93ba4eea60f7b68478
>
files
>
107
