From b8f89068222a5b5988cecff13f9d9509fefa91eb Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 13 Dec 2021 12:04:58 +1300
Subject: [PATCH] asn1: Fix binary search off-by-one read

Previously, if left==right==A1_HEADER_LEN(tos), this would read past the
end of the template array. Now we treat [left, right) as a half-open
interval and no longer try to read from 'right'.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 lib/asn1/template.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/lib/asn1/template.c b/lib/asn1/template.c
index cd6125241..7e5a2decd 100644
--- a/lib/asn1/template.c
+++ b/lib/asn1/template.c
@@ -566,7 +566,7 @@ _asn1_decode_open_type(const struct asn1_template *t,
         const void *vp = DPO(data, ttypeid->offset);
         int c = -1;
 
-        while (left <= right) {
+        while (left < right) {
             size_t mid = (left + right) >> 1;
 
             if ((tos[3 + mid * 3].tt & A1_OP_MASK) != A1_OP_OPENTYPE_ID)
@@ -577,10 +577,7 @@ _asn1_decode_open_type(const struct asn1_template *t,
             else if (typeid_is_oid)
                 c = der_heim_oid_cmp(vp, tos[3 + mid * 3].ptr);
             if (c < 0) {
-                if (mid)
-                    right = mid - 1;
-                else
-                    break;
+                right = mid;
             } else if (c > 0) {
                 left = mid + 1;
             } else {