Fix DER decoding of UTF-8 Strings
Don't read more than the length indicated by the length field. Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
This commit is contained in:
parent
d8d99887b5
commit
d463dab6d6
@ -56,7 +56,8 @@ int der_decode_utf8_string(const unsigned char *in, unsigned long inlen,
|
|||||||
|
|
||||||
https://tools.ietf.org/html/rfc3629#section-3
|
https://tools.ietf.org/html/rfc3629#section-3
|
||||||
*/
|
*/
|
||||||
for (y = 0; x < inlen; ) {
|
len += x;
|
||||||
|
for (y = 0; x < len; ) {
|
||||||
/* read first byte */
|
/* read first byte */
|
||||||
tmp = in[x++];
|
tmp = in[x++];
|
||||||
|
|
||||||
@ -87,7 +88,7 @@ int der_decode_utf8_string(const unsigned char *in, unsigned long inlen,
|
|||||||
/* now update z so it equals the number of additional bytes to read */
|
/* now update z so it equals the number of additional bytes to read */
|
||||||
if (z > 0) { --z; }
|
if (z > 0) { --z; }
|
||||||
|
|
||||||
if (x + z > inlen) {
|
if (x + z > len) {
|
||||||
return CRYPT_INVALID_PACKET;
|
return CRYPT_INVALID_PACKET;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user