From c6fab6c871ee215052e4056c527dc84c2c62a09d Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 3 Mar 2021 23:29:25 -0600 Subject: [PATCH] asn1: Fix open decode bug found by AFL Should always run AFL before pushing changes to the ASN.1 compiler or template interpreter! Still fuzzing. There are crashers in the _asn1_print() path, though right now they cannot affect anything else in Heimdal other than asn1_print, since that's the only thing calling it yet. --- lib/asn1/template.c | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/lib/asn1/template.c b/lib/asn1/template.c index 3f69dd2fb..0cccc1c5c 100644 --- a/lib/asn1/template.c +++ b/lib/asn1/template.c @@ -645,6 +645,7 @@ _asn1_decode_open_type(const struct asn1_template *t, * All the union arms are pointers. */ if (ret) { + _asn1_free(tactual_type->ptr, o); free(o); /* * So we failed to decode the open type -- that should not be fatal @@ -688,26 +689,18 @@ _asn1_decode_open_type(const struct asn1_template *t, /* Increment the count of decoded values as we decode */ *lenp = len; for (i = 0; ret != ENOMEM && i < len; i++) { - if ((val[i] = calloc(len, tactual_type->offset)) == NULL) + if ((val[i] = calloc(1, tactual_type->offset)) == NULL) ret = ENOMEM; if (ret == 0 && d[i]) /* Re-enter to decode the encoded open type value */ - ret = _asn1_decode(tactual_type->ptr, flags, d[i]->data, - d[i]->length, val[i], &sz); + ret = _asn1_decode(tactual_type->ptr, flags, d[0][i].data, + d[0][i].length, val[i], &sz); if (ret) { + _asn1_free(tactual_type->ptr, val[i]); free(val[i]); val[i] = NULL; } } - if (ret == ENOMEM) { - for (i = 0; i < len; i++) { - _asn1_free(tactual_type->ptr, val[i]); - free(val[i]); - } - free(val); - val = 0; - *lenp = 0; - } if (ret != ENOMEM) ret = 0; /* See above */ *dp = val;