From a5da5bcb96df0adc2e8bf2af5611db40b1f4845e Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Fri, 20 Jun 2014 20:15:13 -0400
Subject: [PATCH] asn1: check overflow against SIZE_MAX not +1

A comparison of (len > len + 1) is permitted to be optimized out
as dead code because it can't be true.  Overflowing is an exceptional
condition that results in undefined behavior.  The correct conditional
is (len == SIZE_MAX) when len is size_t.

Change-Id: Ia5586556a973d9fa5228430c4304ea9792c996bb
---
 lib/asn1/der_get.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/asn1/der_get.c b/lib/asn1/der_get.c
index f2bbc706f..f0495f33e 100644
--- a/lib/asn1/der_get.c
+++ b/lib/asn1/der_get.c
@@ -188,7 +188,7 @@ der_get_general_string (const unsigned char *p, size_t len,
 	    return ASN1_BAD_CHARACTER;
 	}
     }
-    if (len > len + 1) {
+    if (len == SIZE_MAX) {
 	*str = NULL;
 	return ASN1_BAD_LENGTH;
     }
@@ -217,7 +217,7 @@ int
 der_get_printable_string(const unsigned char *p, size_t len,
 			 heim_printable_string *str, size_t *size)
 {
-    if (len > len + 1) {
+    if (len == SIZE_MAX) {
 	gen_data_zero(str);
 	return ASN1_BAD_LENGTH;
     }
@@ -493,7 +493,7 @@ der_get_time (const unsigned char *p, size_t len,
     char *times;
     int e;
 
-    if (len > len + 1 || len == 0)
+    if (len == SIZE_MAX || len == 0)
 	return ASN1_BAD_LENGTH;
 
     times = malloc(len + 1);
@@ -531,7 +531,7 @@ der_get_oid (const unsigned char *p, size_t len,
     if (len < 1)
 	return ASN1_OVERRUN;
 
-    if (len > len + 1)
+    if (len == SIZE_MAX)
 	return ASN1_BAD_LENGTH;
 
     if (len + 1 > UINT_MAX/sizeof(data->components[0]))