From d0298e580419975daaa3b628ad42ff9bdf4306f4 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 11 Mar 2021 09:13:09 -0600 Subject: [PATCH] asn1: Fix recent der_replace_tag() bug Recently introduced. --- lib/asn1/der_put.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/asn1/der_put.c b/lib/asn1/der_put.c index 122dbf7cc..b470e69d2 100644 --- a/lib/asn1/der_put.c +++ b/lib/asn1/der_put.c @@ -471,6 +471,8 @@ der_replace_tag(const unsigned char *p, size_t len, e = der_get_length(p, len, &payload_len, &len_len); if (e) return e; + if (payload_len > len) + return ASN1_OVERFLOW; /* * `p' now points at the payload; `*out' + the length of the tag points at * where we should copy the DER length and the payload.