1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 38cb901f92d8977ca74f324cb04d53a4870458a6 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@zoho.com>
Date: Mon, 2 Jun 2014
Subject: CVE-2014-3468
This is a backport adaptation for use with GnuTLS 2.8.6.
Relevant upstream commit(s):
-------------------------
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=1c3ccb3e040bf1
---
lib/minitasn1/decoding.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/lib/minitasn1/decoding.c
+++ b/lib/minitasn1/decoding.c
@@ -210,7 +210,7 @@ asn1_get_octet_der (const unsigned char
int *ret_len, unsigned char *str, int str_size,
int *str_len)
{
- int len_len;
+ int len_len = 0;
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
@@ -335,7 +335,7 @@ asn1_get_bit_der (const unsigned char *d
int *ret_len, unsigned char *str, int str_size,
int *bit_len)
{
- int len_len, len_byte;
+ int len_len = 0, len_byte;
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
@@ -346,6 +346,9 @@ asn1_get_bit_der (const unsigned char *d
*ret_len = len_byte + len_len + 1;
*bit_len = len_byte * 8 - der[len_len];
+ if (*bit_len <= 0)
+ return ASN1_DER_ERROR;
+
if (str_size >= len_byte)
memcpy (str, der + len_len + 1, len_byte);
else
|
