Check for truncated integers: the encoded length may be greater than

the data buffer. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11339 ec53bebd-3082-4978-b11e-865c3cabbd6b
2002-09-03 16:21:49 +00:00
parent c2a12cf859
commit 9cb7b201a4
1 changed files with 4 additions and 0 deletions
--- a/lib/asn1/der_get.c
+++ b/lib/asn1/der_get.c
@@ -252,6 +252,8 @@ decode_integer (const unsigned char *p, size_t len,
    p += l;
    len -= l;
    ret += l;
+    if (reallen > len)
+	return ASN1_OVERRUN;
    e = der_get_int (p, reallen, num, &l);
    if (e) return e;
    p += l;
@@ -279,6 +281,8 @@ decode_unsigned (const unsigned char *p, size_t len,
    p += l;
    len -= l;
    ret += l;
+    if (reallen > len)
+	return ASN1_OVERRUN;
    e = der_get_unsigned (p, reallen, num, &l);
    if (e) return e;
    p += l;