Fix other occurrences of same bounds check issue

Security impact is the same: not triggerrable remotely except in very specific
use cases
This commit is contained in:
Manuel Pégourié-Gonnard 2015-10-21 12:23:09 +02:00
parent 22c3b7b9da
commit 4dc9b394d3
2 changed files with 5 additions and 2 deletions

View File

@ -96,7 +96,7 @@ static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
return( ret );
}
if( *p - start < (int) len )
if( *p < start || (size_t)( *p - start ) < len )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*p -= len;

View File

@ -259,13 +259,16 @@ int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
int ret;
size_t len = 0;
if( *p - start < (int) size + 1 )
if( *p < start || (size_t)( *p - start ) < size )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size;
(*p) -= len;
memcpy( *p, sig, len );
if( *p - start < 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*--(*p) = 0;
len += 1;